Upstream’s report points out that the rapid proliferation of physical artificial intelligence or AI, especially autonomous vehicles as one of the first mass-produced systems deployed in real-world applications, is expanding the attack surface. In addition, it is enhancing attacker capabilities. As a result, this leads to large-scale cyber risks and significant potential impacts.
Upstream is a leading AI-driven cybersecurity detection and response platform (XDR) built for connected cars, physical artificial intelligence, and smart mobility. Today, it released its “2026 Global Automotive and Smart Mobility Cybersecurity Report.” This report, now in its eighth year, reveals a significant escalation in cybersecurity risks within the automotive and smart mobility sector. This trend is primarily due to the rapid expansion of APIs and AI-driven architectures. Additionally, the increasingly sophisticated attack methods employed by organized threat actors contribute to the escalation. These factors combined are widening the gap between adversary capabilities and the current cybersecurity landscape of the industry. Moreover, ransomware is projected to become one of the fastest-growing and most destructive attack types by 2025.
The report analyzes 494 publicly reported cybersecurity incidents in the global automotive and smart mobility ecosystem in 2025. It highlights two major trends reshaping automotive cybersecurity. First, AI architectures are significantly expanding the attack surface. This trend introduces new entry points and systemic vulnerabilities throughout the ecosystem. Secondly, well-funded, well-organized, and highly motivated attack groups are increasingly targeting this industry. This has led to a significant escalation of ransomware attacks and potentially caused billions of dollars in operational and economic losses. Furthermore, ransomware attacks are expanding from IT and enterprise systems to vehicles themselves. For example, by mid-2025, attackers could remotely access vehicle control systems via accompanying applications. In these scenarios, they may lock owners out of their vehicles, remotely control functions such as ignition and door locks, and demand a ransom to restore access.
Artificial Intelligence: A Double-Edged Sword
Upstream co-founder and CEO Yoav Levy stated:
“The automotive industry was an early adopter of physical AI, and as AI capabilities rapidly expand across markets, it has now become the reference architecture for safety-critical, highly interconnected systems.”
“However, AI also enables attackers to act faster, on a larger scale, and more automatically, while the automotive industry still relies on security models built for a more static world. Our 2026 report shows that AI significantly expands the cybersecurity attack surface because traditional perimeter defenses are no longer sufficient when AI systems dynamically adapt and directly impact physical outcomes.”
The report views AI as a dual threat reshaping the automotive cybersecurity landscape: it both expands the attack surface and enhances attacker capabilities. The rapid proliferation of generative AI and large language models (LLMs), along with API-centric architectures and frequent over-the-air (OTA) updates, introduces new security vulnerabilities and adds complexity to the entire automotive ecosystem. The report emphasizes that backend servers and APIs have become major weak points. Moreover, the increasing interconnectivity between vehicles, cloud platforms, and applications increases the likelihood of systemic cybersecurity incidents.
Ransomware Drives Cybersecurity Upgrade in 2025
The report also found that in 2025, large-scale coordinated attacks by organized threat actors targeting the automotive and smart mobility ecosystem will increase dramatically. This will cause increasingly severe operational disruptions, economic losses, and reputational damage. The report emphasizes a significant increase in ransomware attacks as part of a broader upgrade in cyber activity, with 44% of attacks related to ransomware. This is more than double the number in 2024. In the most severe cases, these attacks triggered cascading disruptions to original equipment manufacturers (OEMs), suppliers, production environments, and the wider supply chain.
The largest cyberattack in 2025 — targeting a European OEM — demonstrates the potential ripple effects when organized threat actors target the interconnected mobility ecosystem. This attack crippled the OEM’s production and enterprise systems for weeks, forcing local government financial assistance. In addition to the direct impact on the OEM, the attack indirectly affected numerous suppliers. Consequently, this resulted in a decline in GDP.