Security researchers have uncovered significant vulnerabilities in the 2020 Nissan Leaf electric vehicle, demonstrating that attackers could remotely access and control various car functions.
By exploiting weaknesses in the infotainment system's Bluetooth capabilities, they infiltrated the vehicle's internal network, escalated privileges, and established a command-and-control channel over cellular networks. This access allowed them to monitor the car's location, capture screenshots from the infotainment display, and even record in-cabin conversations.
Beyond surveillance, the researchers showed that they could manipulate physical aspects of the vehicle remotely, including operating the doors, windows, mirrors, lights, horn, windshield wipers, and even the steering wheel—even while the car was in motion.
These vulnerabilities, assigned CVE identifiers CVE-2025-32056 through CVE-2025-32063, were disclosed to Nissan in August 2023, with confirmation from the company in January 2024. While Nissan acknowledged the findings, they have not publicly detailed specific countermeasures, citing security concerns.
Source: SecurityWeek
A connected vehicle would be an ideal target for threat actors, from both an espionage perspective and for those looking to cause harm to their occupants, other drivers, and property. The list of actions threat actors could take with a compromised connected car is nearly endless.
For example, they could eavesdrop on conversations, gain access to geographical information, such as travel patterns, and obtain imagery of sensitive sites the vehicle may have access to from its cameras. Even worse, threat actors could take physical control of the vehicle, potentially harming the occupants or damaging critical infrastructure.
Other connected cars have been hacked by ethical hackers. In early 2024, a hacker team participating in the Automotive Pwn2Own competition successfully hacked a Tesla Model 3, which allowed the team to execute arbitrary code within Chrome's renderer sandbox on the vehicle’s infotainment system. From there, the team could potentially escape the sandbox and pivot to compromise other functions of the vehicle as well. Fortunately, Tesla rolled out updates to their vehicles to address this issue shortly after it was discovered.
It's important to remember that state-sponsored cyber actors wouldn’t be the only threat actor interested in compromising connected vehicles. Ransomware actors would likely be highly motivated to target vehicles as they could potentially disable vehicles and/or threaten to leak sensitive conversations or interactions that may have taken place in the vehicle unless a ransom is paid.
Given the bevy of malicious actions possible when threat actors obtain access to a connected vehicle, as well as Russia and China’s demonstrated capability of conducting supply chain attacks, the U.S. proposed to ban connected cars manufactured in Russia and China in 2024. The ban was finalized in January 2025 and takes effect in 2027.
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in emerging technologies like connected vehicles.
Field Effect strongly recommends owners of connected vehicles ensure their software is up to date by enabling automatic updates.