Is Malaysia’s EV boom a cybersecurity risk?
A new report says the industry’s shift towards software-dependent vehicles is creating new vulnerabilities for hackers to exploit
Hackers are increasingly targeting Malaysia’s growing automotive sector, cybersecurity experts have warned in a new report that raises alarm over gaps in threat detection, including potential data theft via phones hooked to vehicular digital dashboards.
A key automotive manufacturing hub in Southeast Asia, Malaysia has attracted around 26 billion ringgit (US$6.15 billion) in electric vehicle investments since 2018 from global marquee names including Tesla, Mercedes-Benz, Volvo, BMW, Porsche, Audi, Stellantis and Dongfeng.
But the industry’s rapid shift towards software-dependent vehicles is creating new vulnerabilities ripe for exploitation by malicious actors, according to Singapore-based Ensign Infosecurity’s 2025 report on the cyber threat landscape in Asia-Pacific.
“Malaysia’s extensive network of automotive suppliers, manufacturers, and service providers further exposes organisations to vulnerabilities in the cyber supply chain,” Jeremy Moke, senior director of Ensign Infosecurity Malaysia, told This Week in Asia.
One vulnerability involves attackers intercepting sensitive data from mobile devices connected to a compromised vehicle’s infotainment systems through widely used platforms such as Apple CarPlay and Android Auto, according to Moke.
“The automotive and mobility sector is an emerging target sector in Malaysia,” Moke said. “The proliferation of modern vehicles integrating complex computing, software, and the supporting infrastructure creates new points of vulnerability.”
Ensign’s report puts the automotive sector behind the public sector, telcos, hospitality and banks in the ranking of industries most vulnerable to cyberattacks.
It also points to emerging threats targeting Malaysia’s wider infrastructure, such as energy and utilities, as well as the nation’s defence and law enforcement sectors.
These vulnerabilities are compounded by an evolving threat landscape across Asia-Pacific, where hackers are not only growing in numbers and their technical skills but also increasingly collaborating with organised crime syndicates and state-linked actors.
Those alliances have blurred traditional lines between ideologically driven cyberattacks and those driven by commercial gains or espionage, according to the study.
“The cyber underground today fosters both competition and collaboration, significantly boosting the effectiveness and success rates of cyberattacks,” Moke explained.
“These alliances, combined with widening supply-chain vulnerabilities, have made threat groups like hacktivists more capable, persistent, and difficult to dislodge.”
It is also taking longer for cyberattacks to be detected, from an average of 49 days in 2023 to 201 days last year.
Unhandled type: inline-plus-widget {“type”:”inline-plus-widget”}
Even in highly regulated sectors such as banking, attackers had enjoyed prolonged windows of opportunity, with breaches typically taking around 21 days on average to detect and rarely identified in less than 10 days, Ensign said. Such a substantial lag gives attackers ample time to access and steal critical data long before security teams can respond.
Data breaches have dominated conversations in Malaysia over its level of online security defence in the past few years and have significantly contributed to the slow adoption of the government’s new digital identification initiative.
The MyDigital ID, billed as a unified login across state agencies consolidating data of citizens aged 18 and over on government systems, has seen lacklustre uptake. Despite a high-profile launch by Prime Minister Anwar Ibrahim in December 2023, only 2.8 million Malaysians have registered, highlighting public scepticism over the safety of their personal data.
In 2022, the personal information of 22.5 million Malaysians, allegedly leaked from the National Registration Department, was reportedly sold on the dark web for just US$10,000. Later that year, a separate breach exposed the personal details of 13 million voters, including national ID numbers, addresses and phone numbers.
