Upstream’s report finds that the rapid adoption of Physical AI, with autonomous vehicles among the first production-ready systems in real-world operation, is expanding attack surfaces and accelerating attacker capabilities, creating large-scale cyber risks with massive impact potential.
Upstream, the leading AI-powered cybersecurity detection and response platform (XDR) purpose-built for connected vehicles, physical AI, and smart mobility, released today its 2026 Global Automotive and Smart Mobility Cybersecurity Report. Now in its eighth year, the report reveals a material escalation in cybersecurity risks across Automotive and Smart Mobility. This is driven by the rapid expansion of APIs and AI-driven architectures, alongside the increased sophistication of organized threat actors. Together, these forces are widening the gap between adversary capability and the industry’s current cybersecurity posture, with ransomware continuing to emerge as one of the fastest-growing and most disruptive attack types in 2025.
Analyzing 494 publicly reported cybersecurity incidents from 2025 within the Automotive and Smart Mobility ecosystem worldwide, the report recognizes two converging trends reshaping automotive cybersecurity: First, AI architectures have dramatically expanded the attack surface, introducing new entry points and systematic exposures across the entire ecosystem. Second, financially motivated, well-resourced, and coordinated attack groups are increasingly targeting the sector, causing a major escalation in ransomware attacks that can translate into billions of dollars in operational and economic losses. Furthermore, ransom attacks are now expanding beyond IT and enterprise systems into the actual vehicles, as shown in mid-2025 when attackers accessed remote vehicle command & control systems (via the companion app), locked owners out, took remote control of functions like ignition and door locks, and demanded ransom payment to restore access.
AI as a Double-Edged Sword
“The automotive industry is an early adopter of Physical AI, and as AI capabilities rapidly expand across markets, it now serves as the reference architecture for safety-critical, highly connected systems,” said Yoav Levy, Co-Founder and CEO of Upstream. “However, AI is also enabling attackers to move faster, at greater scale, and with more automation while the industry is still relying on security models built for a far more static world. Our 2026 report shows that AI significantly expands the cybersecurity attack surface, as traditional perimeter defenses no longer suffice when AI systems adapt dynamically and directly influence physical outcomes.”
The report examines AI as a dual threat reshaping the automotive cybersecurity landscape: AI is both expanding the attack surface and accelerating attacker capabilities. The rapid adoption of generative AI and large language models (LLMs) alongside API-centric architectures and frequent over-the-air (OTA) updates has introduced new points of exposure and increased complexity across the vehicle ecosystem. The report highlights how backend servers and APIs have become the primary weak points, as this growing interconnectivity between vehicles, cloud platforms, and apps increases the likelihood of systemic cybersecurity incidents.
Ransomware Drives 2025 Cyber Escalation
The report also found that 2025 saw a sharp rise in large-scale, coordinated attacks by organized threat actors on the Automotive and Smart Mobility ecosystem, with increasingly severe operational disruption, financial damage, and reputational consequences. The report highlights that ransomware attacks increased significantly as part of this broader escalation in cyber activity, with 44% of attacks being ransomware-related, more than double the volume than in 2024. In the most severe cases, these attacks triggered cascading disruptions across OEMs, suppliers, production environments, and wider supply chains. 2025’s largest incident, a cyberattack on a European OEM, exemplified the chain-reaction impact now possible when organized threat actors target interconnected mobility ecosystems. The attack paralyzed the OEM’s production and enterprise systems for several weeks, forcing local authorities to provide financial support. In addition to direct impact on the OEM, the attack indirectly impacted a wide array of suppliers and evidence of impact was evident in the decrease in GDP.
Additional Findings and Insights
- 71% of incidents were attributed to black hat actors, up from 65% in 2024.
- 92% of automotive cyber attacks were conducted remotely, of which 86% required no physical proximity to vehicles and systems.
- 67% of incidents involved telematics and cloud systems as attack vectors; however, APIs continue to serve as the nervous system of the Automotive and Smart Mobility ecosystem and the enabler of a significant portion of incidents.
- 68% of incidents involved data and privacy breaches, while 34% of incidents were focused on business and operational disruption.
- 61% of incidents had the potential to impact thousands to millions of mobility assets; 20% were massive-scale events.
The report also includes a comprehensive analysis of deep and dark web activity related to automotive-specific cyber threats, a review of relevant regulatory developments, and an examination of how AI is being incorporated into cybersecurity resilience.