Grand Theft Auto: When Hackers Hijack Your Car

No photo availableCIO Africa authorByCarol Odero
3 min read
Our technology-driven existence now means the threat of cybersecurity follows you wherever you go. Now, even your car is fair game.

Imagine you’re driving down the expressway over a random weekend. Your windows are open, letting in a cool mid-morning breeze. Spotify hums. Your dashboard glows softly. Then suddenly, your engine cuts off. Not because you hit a button, but because someone else, somewhere, did.

You’ve seen this scenario in The Italian Job and The Fate Of The Furious.

At the Security Analyst Summit 2025, cybersecurity giant Kaspersky revealed a discovery that could redefine what “car theft” means when everything is connected. Their team found a dire vulnerability. One that could allow hackers to remotely take control of an entire fleet of connected cars from one major automotive manufacturer.

It wasn’t a Hollywood-style stunt either. It was a quiet, technical infiltration, starting not with the carmaker itself, but with a contractor—a company providing online tools to manage internal data.

The Digital Key To The Kingdom

Here’s how it happened.

Through a flaw in a publicly accessible web app—aka zero-day vulnerability—Kaspersky’s researchers managed to sneak through the contractor’s digital defences. From there, they found weak passwords, unprotected files, and a trail that led straight into the manufacturer’s telematics systems.

Telematics, the thing that makes your car “smart,” and comprises its invisible nervous system connecting the vehicle to the internet—handling GPS, diagnostics, software updates, and more, was also its Achilles heel.

Once inside, researchers found that a misconfigured firewall was exposing internal servers to the open internet. Using credentials they had already acquired, they accessed deeper layers of the network—and that’s when things got interesting.

They discovered a way to send fake firmware updates to a car’s Telematics Control Unit (TCU), the brain that talks to the engine, the transmission, and even the braking systems. In theory, a hacker could manipulate these functions, forcing sudden gear shifts or cutting the engine entirely—all remotely.

A Wake-Up Call For The Auto Industry

“The security flaws stem from issues that are quite common in the automotive industry: publicly accessible web services, weak passwords, lack of two-factor authentication (2FA), and unencrypted sensitive data storage. This breach demonstrates how a single weak link in a contractor’s infrastructure can cascade into a full compromise of all of the connected vehicles,” said Artem Zinenko, Head of Kaspersky ICS CERT Vulnerability Research and Assessment, adding that “The automotive industry must prioritise robust cybersecurity practices, especially for third-party systems, to protect drivers and maintain trust in connected vehicle technologies.”

It’s a stark reminder of how a car is no longer just an independent, mechanical object. Instead, it’s a hyperconnection; a computer on wheels. And like any computer, it’s only as safe as its weakest password.

The Road To Safety

Kaspersky’s recommendations sound like a to-do list every modern car company should have already completed: limit public internet access to sensitive systems, require two-factor authentication, encrypt data, and separate car systems from corporate networks.

In other words, treat car cybersecurity with the same seriousness as brakes or airbags. Because, obviously, digital safety is also now physical safety.

This discovery doesn’t just expose one company’s flaws. It highlights a blind spot in the automotive industry. As cars become more autonomous, more connected, and more dependent on over-the-air updates, the risks multiply.

Today’s car thieves might not carry crowbars to crack a door. They’ll crack the code.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co