The seamless integration of advanced software and connectivity in modern vehicles has transformed them into sophisticated computers on wheels, yet this evolution carries a significant and often overlooked risk. Recent revelations from the annual Pwn2Own competition in Tokyo have cast a harsh light on the automotive industry’s cybersecurity posture, demonstrating that the potential for malicious vehicle hacking is no longer a theoretical concern but a practical and alarmingly accessible reality. As researchers unearth a growing number of critical vulnerabilities in everything from infotainment systems to electric vehicle charging infrastructure, it becomes clear that the security measures meant to protect drivers are failing to keep pace with the rapid advancement of in-car technology, creating a dangerous gap that could be exploited with devastating consequences.
A Sobering Showcase of Widespread Weaknesses
The Pwn2Own event provided an undeniable measure of the industry’s current security landscape, and the results were nothing short of staggering. Over the course of just two days, ethical hackers and security researchers successfully demonstrated a total of 66 unique zero-day vulnerabilities affecting various vehicle components and systems. This flurry of successful exploits, which earned the participants nearly a million dollars in prize money, underscores the pervasive nature of these security flaws. The competition’s high success rate, with five out of every six attempts resulting in a compromise, serves as a powerful testament to the fact that exploitable weaknesses are not rare exceptions but are frustratingly common. This event effectively transitioned the conversation about vehicle hacking from a distant, hypothetical threat into an immediate and demonstrable problem that demands urgent attention from manufacturers and regulators alike.
Further compounding the concern was the phenomenon of “collisions,” where multiple independent research teams discovered and targeted the exact same vulnerability. Approximately one-third of the successful attempts fell into this category, a statistic that offers a crucial insight into the nature of these flaws. It suggests that the vulnerabilities being uncovered are not obscure, deeply hidden bugs that require extraordinary effort to find. Instead, these are more likely significant and relatively obvious weaknesses in system design, implementation, or configuration—low-hanging fruit for skilled adversaries. The high frequency of these overlaps indicates a systemic issue, pointing to common insecure practices or a failure to implement well-known security principles across the industry. This reality highlights the urgent need for a fundamental shift in how vehicle systems are designed and vetted before they ever reach the consumer market.
New Roads to Compromise
Among the most troubling findings was the emergence of novel and disarmingly simple methods for compromising vehicle systems. A standout example involved a researcher from the Synacktiv team who targeted an Autel MaxiCharger. In a demonstration of startling efficiency, the researcher simply swiped a specially crafted Near-Field Communication (NFC) card near the EV charger. This single, swift action was enough to trigger a buffer overflow, granting the attacker complete control over the charging station. Dustin Childs, head of threat awareness for Trend AI’s Zero Day Initiative (ZDI), described the ease of the attack as “amazing to see,” emphasizing how accessible and seemingly benign points of interaction can serve as potent entry points for a prepared attacker. This specific hack powerfully illustrates that the vehicular attack surface is expanding in unexpected ways, turning everyday convenience features into potential security liabilities.
The competition also made it clear that NFC is far from the only accessible attack vector that manufacturers need to address. Other successful exploits leveraged different wireless protocols and even physical connections that are part of a vehicle’s normal operation. Researchers demonstrated hacks that utilized Bluetooth to gain a foothold, while others found ways to compromise systems through the physical charging gun itself. These methods prove that the security perimeter of a modern vehicle extends far beyond its internal networks and dashboard interfaces. As cars become more integrated with their environment—communicating with chargers, phones, and other infrastructure—every connection point becomes a potential gateway for malicious actors. This expanding attack surface requires a more holistic security strategy that accounts for every way a vehicle interacts with the outside world, from wireless signals to the very plug that powers it.
Persistent Flaws in Design and Architecture
For years, security experts have consistently identified in-vehicle infotainment (IVI) systems as the automotive world’s soft underbelly, and this trend shows no sign of abating. This persistent issue, which first captured widespread public attention with the landmark 2015 remote hack of a Jeep initiated through its infotainment unit, remains a critical point of failure. According to Alex Plaskett of NCC Group, IVI systems are such attractive targets because they are often deeply integrated with a vehicle’s core operational networks yet are not built with the same level of security hardening as modern mobile operating systems. They frequently lack critical security mitigations, making them significantly easier to exploit. In a damning indictment of the industry’s response time, the ZDI had to explicitly ban researchers from using certain known IVI vulnerabilities in this year’s contest because manufacturers had failed to patch them since the previous year’s event.
Beyond specific software bugs, a more profound and systemic issue lies within the architectural design of these complex systems. Liz James, a managing security consultant at NCC Group, points out that many security issues are not the result of a simple coding error but stem from a “lack of security depth in the architecture.” This means that attackers are increasingly able to compromise systems by abusing intended functionality rather than exploiting a hidden flaw. Features designed for legitimate purposes—such as dealership diagnostics, remote servicing interfaces, and warranty claim processes—can become powerful tools for an attacker if they are not secured with defense-in-depth principles. In these scenarios, an adversary does not need to discover a zero-day bug; they can simply manipulate the vehicle’s own maintenance and administrative tools to compromise a single vehicle or, more alarmingly, an entire fleet of vehicles.
Electrification Is Charging up Cyber Risks
The automotive industry’s rapid pivot toward electrification is simultaneously creating a more complex and high-risk security ecosystem. While traditional gas pumps have had their own vulnerabilities, the deeply interconnected nature of electric vehicles and their charging infrastructure introduces an entirely new dimension of cyber risk. The Pwn2Own contest demonstrated that this connection is a two-way street for exploitation. Researchers showed that it is possible to plug a compromised vehicle into a charger and subsequently take control of the charging station. Conversely, and perhaps more concerning for the average EV owner, a compromised charging station could potentially be used as a weapon to attack any vehicle that connects to it. As noted by ZDI’s Dustin Childs, this level of bidirectional communication and the potential for cross-contamination between vehicle and infrastructure was a surprising and deeply concerning trend.
This heightened risk is exacerbated by the sheer speed at which the EV charging infrastructure is being deployed. As Liz James explains, this new ecosystem is being built at an extremely high rate, with network functionality integrated at every layer, often before the industry has had a chance to establish the long-term security and resiliency patterns seen in more mature technology sectors. Unlike established IT networks, which have benefited from decades of security evolution, the EV charging world is still in its relative infancy. This rapid, function-first rollout risks embedding systemic vulnerabilities into the foundation of a critical infrastructure. The rush to build out a nationwide network of chargers may be prioritizing speed and interoperability over the robust, defense-in-depth security principles needed to protect both the grid and the vehicles that depend on it.
Charting a More Secure Path Forward
The insights from the Pwn2Own competition painted a clear and urgent picture of the automotive industry’s cybersecurity challenges. The findings revealed an industry struggling to secure a rapidly expanding attack surface, fueled by the push toward software-defined vehicles and widespread electrification. Security practices were shown to be lagging, evidenced by the continued presence of easily exploitable infotainment systems, the failure to patch year-old vulnerabilities, and the emergence of new attack vectors through NFC, Bluetooth, and charging equipment. The threat model itself had evolved, shifting from the exploitation of simple bugs to the malicious use of legitimate, but poorly secured, administrative functions. The consensus among experts was that if a vehicle system could be compromised, it eventually would be. This called for a fundamental shift in the industry’s approach, moving from a reactive, patch-based model to a proactive, security-by-design philosophy that embeds defense-in-depth at every stage of a vehicle’s lifecycle.
