Aug 2020:

A cyber security researcher gained control of an OEM’s entire connected vehicle

fleet.
He exploited a vulnerability in Tesla's server-side mechanism to access Tesla's
network and view a repository of server images. One of the servers accessed was the
command-and-control server that communicated with Tesla's fleet, including remote
commands and diagnostic information. A critical vulnerability in the server enabled
the hacker to control any vehicle in the fleet.
Keyless entry – more than 25%

Keyless entry needs to be in proximity to the car.

Remote fobs – requires pushing a button to open the doors;
Allows you to start the engine wireless and drive away
The most common attack vectors used to break and steal vehicles.
Market has many “smart devices” capable of performing attacks on keyless entry. Not
cheap, but accessible.
Application and mobile application – almost 10%

3 vulnerabilities were found in the Android Automotive OS (AAOS) – Dec 2021 -

malicious application to bypass user interaction requirements to gain access to
additional permissions
A vulnerability (CVE-2021-29507) was found in a diagnostic log and trace tool of
GENIVI Alliance, an automotive industry alliance that develops standard approaches
for integrating operating systems and middleware present in the centralized and
connected vehicle cockpit. The vulnerability allows a remote attacker to perform a
denial of service (DoS) attack. May 2021
analysts found 29 potential cybersecurity attack vectors and ranked five as the
highest risks, which derived from the use of connected cars in satellite, cellular,
Wi-Fi, Bluetooth, RDS, eSIM-based telematics, and other types of connectivity to
send and receive data. The authors noted that all these network-centric
applications created new attack surfaces in connected cars. Feb 2021
Researchers reverse engineered the Android head unit system of KIA Cee'd, exploited
the vehicle's ability to install third-party applications, and instead installed an
app containing malware – nov 2020