Connect with us

Hi, what are you looking for?


IoT Security

Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade

An automotive cybersecurity study shows that critical-risk vulnerabilities have decreased in the past decade.

Car vulnerability analysis

Research-focused security services provider IOActive has conducted an analysis of car vulnerability trends over the past decade and determined that the automotive industry has been placing increasing importance on cybersecurity. 

The new IOActive automotive cybersecurity study (PDF) looks at vulnerabilities discovered over the last 10 years, with a focus on trends between 2016, 2018 and 2022.  

The company has ranked and grouped vulnerabilities based on their potential real-world impact, their likelihood of exploitation, and their overall risk, with this risk level being calculated based on impact and likelihood. 

In terms of impact, the percentage of car vulnerabilities with a critical rating went from 25% of the total in 2016, to 10% in 2018, and 12% in 2022. High-impact flaws gradually decreased from 25% to 21% between 2016 and last year.

However, over the past 10 years, the percentage of critical issues dropped by 13% and high-impact issues by 4%. 

In terms of likelihood of exploitation, critical vulnerabilities went from 7% of the total in 2016 to 1% in 2022. High-likelihood issues dropped to 16% in 2022, from 21% in 2016. This, according to IOActive, suggests that vulnerabilities are becoming more difficult to exploit or “the vectors to discover vulnerabilities are becoming less remote”.

“In cybersecurity parlance, there is less ‘low-hanging fruit,’ indicating that between 2018 and 2022, the automotive industry learned from its initial mistakes and is building better,” the cybersecurity firm said.

Overall, the percentage of critical- and high-likelihood vulnerabilities decreased by 6% and 5%, respectively, in the past 10 years. 

Advertisement. Scroll to continue reading.

When it comes to the overall risk, the percentage of high-risk vulnerabilities has increased by 3% and medium-risk issues by 25% in the past 10 years, but critical-risk weaknesses decreased by 17% over the same period. 

The ‘critical risk’ rating is assigned to issues that can be exploited remotely and are easy to discover, with impact including complete component compromise or safety concerns. High-risk flaws are ones that can be exploited from nearby or require limited skills, and their impact includes partial component control, sensitive information disclosure or a potential safety concern.

As for attack vectors, physical hardware attacks dropped from 28% in 2016 to 10% in 2022, but local and networked attack vectors have increased. IOActive has also seen a slight but important rise — from 0% to 1% — in radio frequency attacks, particularly remote keyless entry and Bluetooth attacks.  

IOActive has attributed the positive trends to the automotive industry building cybersecurity into earlier stages of the development process, as well as its efforts to reduce higher likelihood attack vectors and its improved maturity level in deploying cybersecurity practices.  

On the other hand, IOActive has also raised some potential concerns. One of them is that while critical vulnerabilities are less common, threat actors could turn to chaining multiple less severe flaws — such as medium-risk issues, which increased significantly — to achieve their goals, rather than relying on a single critical weakness.

Related: Over $1 Million Offered at New Pwn2Own Automotive Hacking Contest

Related: Automotive Security Threats Are More Critical Than Ever

Related: US Subsidiary of Automotive Hose Maker Nichirin Hit by Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.