One needs only to know how a website and applications work in order to exploit a modern connected vehicle, and much of that knowledge can be found freely online. Sam Curry, a cybersecurity expert who discovered vulnerabilities in connected vehicle systems, put it bluntly. After performing this research, I'm very much concerned with the future of car security. These issues were not incredibly complicated and many of them were very surface level. The access isn't buried in some secret server requiring inside knowledge. It's all in the site you use to access applications connected to your vehicle like FordPass, the Tesla App, and others.
The middle area between the car itself and the mobile app, which is used to unlock vehicles, is ripe for exploitation. By attacking this middle area, it is possible to compromise vehicles and cause very real harm to people. These sites aren't hidden. Clever searching, not expert hacking, gets you there. Once found, thieves have direct access to user data for both owners and their vehicles.
The equipment required is alarmingly accessible. RF and Bluetooth sniffers come in packages that can be easily hidden in your pocket, by cloning the signals between a key and the car's ignition and door locks. A device called Flipper Zero can be used to access vehicles if the security protocols are old enough, and nearly 200 specific vehicle models are vulnerable, from Kias and Hyundais to Fords, Hondas, Subarus, VWs, and more. The device costs $199 and can create what appears to be a shadow copy of the original key.
Modern vehicles, like Tesla, rely on Bluetooth signals from the owner's smartphone to enable keyless entry and ignition. Thieves exploit this by using relay devices to intercept and amplify these signals. With one device near the owner's phone, even inside a building, and another close to the vehicle, they effectively fool the car into thinking the owner is nearby, allowing them to unlock and start it. Your phone is in your bedroom. The car is in the driveway. The thief stands outside with two cheap devices and the car unlocks as if you were standing there yourself.
The vulnerability extends to the apps themselves. Tested apps were defenseless against overlays on their windows. If, owing to that, an evildoer obtains the username and password for the system, then he will be able to unlock the doors of the car. The app stored the username for the system as well as a plethora of other interesting data, such as the car's make, the VIN, and the car's number, as clear text. Plain text. No encryption. No security beyond hoping nobody looks.
The scale of the problem is measurable. According to new data from the National Insurance Crime Bureau, the Hyundai Elantra was the most stolen car in the US in the first half of 2025, with more than 11,000 thefts nationwide. That's despite major software patches and security updates from Hyundai meant to close the loopholes thieves had been exploiting since 2022. The fixes didn't work. Thieves adapted faster than manufacturers could patch.
A lawsuit alleges that certain GM keyless entry systems are vulnerable to signal cloning, a technique that allows thieves to mimic your fob signal and drive off without a trace, which helps explain why the Silverado holds the title of most stolen pickup in America. Older Civics, especially those built before 2001, didn't come with immobilizers, making them prime hotwire targets, but newer models with smartphone integration face different vulnerabilities entirely.
The irony cuts both ways. If an EV is stolen, the owner or the manufacturer can often track it instantly via a smartphone app. Tesla, Rivian, Hyundai, and others allow owners to remotely view their car's location, lock the doors, disable driving functionality, and even limit top speed. In many cases, stolen EVs are recovered within hours because they can't hide. The same connectivity that makes cars vulnerable also makes them easier to recover. Tesla's Sentry Mode uses the car's cameras and sensors to pick up suspicious activity when parked, can flash the lights, sound the alarm, display a warning, send an alert to an app, and record a 10 minute video clip. Thieves know this. The Tesla Model 3, Model Y, and Model S have remarkably low theft claims with law enforcement and insurance providers.
But that's cold comfort if your car lacks those systems. Car thefts nationwide declined in 2024, with 850,708 vehicle thefts in the United States, 17 percent fewer than 2023. Still, that's nearly a million stolen vehicles in a single year. District of Columbia took the top spot in the nation with about 842 thefts per 100,000 residents. The decline is encouraging. The absolute numbers remain terrifying.
Protection options exist but feel absurd. Experts have recommended wrapping your key up in aluminum foil, putting your key fob in an electronic preventive pouch, or something as ridiculous as putting your key fob in the refrigerator when you are in the house to stop your signal from being broadcast and stop somebody from picking up your security code. We've reached the point where storing your car keys in the fridge is legitimate security advice because thieves can clone the signal through your front door.
David Bennett, senior repair manager at AAA, explains that there is nothing that one can do to 100 percent prevent a car thief from stealing your vehicle. If they want it badly enough, they will find a way to steal it. Most car thieves are looking for quick hits. Anything you can do to give them pause or cause extra effort, they may reconsider and move on to another vehicle. That's the depressing reality. You can't stop them. You can only make your car slightly more annoying than the one parked next to it.
The technology that was supposed to make car ownership more convenient created attack surfaces that didn't exist when cars were purely mechanical. Breaking a window and hot wiring an ignition required tools, knowledge, and time. Now thieves stand outside your house with devices costing a few hundred dollars, clone your phone's Bluetooth signal, and drive away in seconds. Apps that unlock your car from anywhere also unlock it for anyone who can exploit the middleman server you never see or interact with.
Manufacturers keep patching. Thieves keep adapting. The apps remain vulnerable because security was an afterthought to convenience, and retrofitting security into systems designed without it is nearly impossible. Your phone is the key to your car. Unfortunately, so is theirs.
