In 2015, a Wired journalist caught a ride with IOActive researchers Charlie Miller and Chris Valasek in a Jeep Cherokee. At 70mph, the car's air conditioning began blasting out freezing air, the radio switched station on its own, the windshield wipers turned themselves on with wiper fluid spurting, and then the car ran itself off the road.
The same researchers later performed a physical attack on the vehicle's CAN bus to seize control of the car's braking system and at only 25 mph, this was nearly enough to tip over the car.
In 2018, researchers uncovered a bug in a misconfigured server run by Calamp that granted them access to backend systems of Internet-connected vehicle management systems provided by Viper SmartStart.
The team were able to locate vehicles, reset passwords, unlock side doors, disable alarms, start engines, and, in theory, could have stolen target vehicles.
KU Leuven University researchers demonstrated how to steal a Tesla "in a matter of seconds" due to poor cryptographic standards used by Tesla key fobs.
Security researcher Samy Kamkar created OwnStar, a Raspberry Pi-based device which cost less than $100 to make, in order to show it was possible to abuse the OnStar connected car system to "locate, unlock and remote start any vehicle with OnStar RemoteLink."
Trend Micro researchers have been able to exploit a fundamental issue in how Controller Area Network (CAN) protocols operate, a necessary requirement for connected vehicles, in order to reprogram a car's infotainment system, disable airbags, tamper with locking systems, steal a vehicle, and more
In 2016, Computest researchers Daan Keuper and Thijs Alkemade revealed multiple vulnerabilities which were present in the infotainment systems of some Volkswagen and Audi vehicles which could be exploited to seize control of microphones, speakers, and navigation systems.
A zero-day bug uncovered in 2016 by Vulnerability Labs affected the BMW web domain and ConnectedDrive portal, an area for owners of new, connected vehicles. If exploited, the bug could be used by attackers to change the vehicle registration numbers of cars.