Eight(!) hacking events & 649 exploitable vulnerabilities in connected cars in China. Yep. ??????

A group of automotive security experts from China and Singapore shared their work analyzing 649 confirmed, exploitable vulnerabilities in Intelligent Connected Vehicles (ICVs) from China, Germany, the United States, Japan, South Korea, and France.

The most interesting part, IMO, is the source of those vulnerabilities: eight (8!) hacking competitions held in China between January 2023 and April 2024, with a total of 48 vehicles tested from 19 manufacturers.

The vulnerability bounty payouts were around $340,000 USD, and part of the research and exploitation was done on rental vehicles. The approach was “black box” - production vehicles, real-world exploits.

It seems like a serious, effective car-hacking industry at scale, currently under strict NDAs - and here we get some insight into it.

Enjoy - and please share this with your peers in automotive cybersecurity; they must know about it.

More details:

Towards Understanding and Characterizing Vulnerabilities in Intelligent Connected Vehicles through Real-World Exploits [PDF]: https://arxiv.org/abs/2601.00627

ICV_Vulnerabilities [Github]: https://github.com/Anonymous-People/ICV_Vulnerabilities

Subscribe now