The automotive industry is undergoing a rapid transformation with the advent of new technologies such as software-defined vehicles (SDVs), advanced driver-assistance systems (ADAS), and the integration of artificial intelligence (AI). While these innovations promise enhanced functionality and efficiency, they also introduce new cybersecurity challenges. Zero-day vulnerabilities, in particular, have become a significant concern, shaping the landscape of automotive cybersecurity.
The Role of Pwn2Own in Identifying Vulnerabilities
Pwn2Own Automotive 2025: A Platform for Discovery
The Pwn2Own Automotive 2025 competition, co-hosted by Trend Micro, took place at Automotive World in Tokyo from January 22 to 24. This annual event is the world’s largest platform for discovering vulnerabilities in connected cars. It brings together top-tier security researchers to identify zero-day vulnerabilities in automotive technologies, ensuring the safety and reliability of modern vehicles. Events like Pwn2Own are crucial in pinpointing weaknesses in these systems before malicious actors exploit them, thereby securing automotive technology against potential cyber threats.
Participating researchers from 13 different countries were drawn to this event, all focused on dissecting and understanding the potential weaknesses within today’s automotive technologies. Within just a few days, their collaborative efforts led to the identification of an impressive 49 unique zero-day vulnerabilities. These vulnerabilities spanned various automotive systems, including intricate in-vehicle infotainment systems (IVI) and sophisticated electric vehicle (EV) chargers. The discoveries made by these researchers underscore the importance of continual cybersecurity vigilance and proactive measures in the automotive sector.
Achievements and Discoveries
Sina Kheirkhah of Summoning Team emerged as a standout during the Pwn2Own Automotive 2025 competition by earning the prestigious title “Master of Pwn” for the year. This accolade not only recognizes the individual achievements of Sina Kheirkhah but also highlights the broader significance of these discoveries in fortifying vehicle security. The competition’s successes stress the imperative nature of identifying and mitigating zero-day vulnerabilities to maintain the integrity and security of connected car ecosystems.
The advancements and breakthroughs made at Pwn2Own Automotive 2025 provide an essential blueprint for future cybersecurity strategies. The findings emphasized the diverse range of vulnerabilities present in modern vehicles, revealing potential entry points for cyber attackers. Through competitions like Pwn2Own, the automotive industry is better equipped to address these vulnerabilities head-on, fostering a safer environment for technological advancements and innovations.
The Growing Importance of Cybersecurity in Automotive Industry
The Impact of Software-Defined Vehicles (SDVs)
As software-defined vehicles (SDVs) continue to reshape the automotive industry, cybersecurity becomes increasingly critical in ensuring their safety and dependability. Max Cheng, CEO of VicOne, emphasizes the importance of uncovering and addressing vulnerabilities to mitigate risks before they escalate. Events like Pwn2Own Automotive play an integral role in detecting zero-day vulnerabilities, helping the industry proactively fortify vehicle security and paving the way for advancements in mobility. Ensuring robust cybersecurity measures for SDVs is essential to maintain consumer trust and further innovation within the industry.
The evolution of SDVs has expanded the attack surface for potential cyber threats, necessitating a heightened focus on security measures. As vehicles become more connected and reliant on software systems, the risks associated with cyberattacks grow exponentially. Addressing these challenges requires a multi-faceted approach, involving both advanced technological solutions and industry-wide collaborations to build a resilient and secure automotive ecosystem.
Rising Number of Vulnerabilities
According to VicOne’s upcoming 2025 annual report, the number of automotive-related vulnerabilities published in 2024 reached 530, nearly doubling the figures from 2019. This surge in vulnerabilities reflects the expanding attack surface and complexity of automotive systems. Cyberattacks in 2024 inflicted damages exceeding $22 billion, with $20 billion attributed to data breaches and leaks of personal information. These staggering figures underscore the urgency for the automotive industry to adopt comprehensive cybersecurity measures to protect against financial losses and safeguard consumers’ sensitive data.
The doubling of vulnerabilities within a short span highlights the rapidly escalating threat landscape in automotive cybersecurity. This increase can be attributed to the proliferation of connected car technologies, which inherently introduce more potential points of entry for malicious actors. To counteract this trend, the automotive industry must stay ahead of emerging threats through continuous monitoring, timely updates, and integration of advanced security protocols across all vehicle systems.
Key Risks and Emerging Threats
Generative AI and Supply-Chain Vulnerabilities
The automotive industry faces several key risks, including generative AI, supply-chain vulnerabilities, and over-the-air (OTA) updates. Supply-chain vulnerabilities are anticipated to dominate cybersecurity events, with likely increases in ransomware and OTA exploitations. These risks highlight the need for a security-first approach, incorporating robust defenses, regulatory compliance, and collaborative innovations to secure future mobility. Ensuring that supply chains are secure and resilient against attacks is vital for maintaining the integrity and functionality of modern vehicles.
Generative AI poses unique challenges, as it can be leveraged by cyber attackers to develop sophisticated threats that are difficult to detect and mitigate. The automotive industry must stay vigilant and proactive in identifying and neutralizing such threats before they can cause significant damage. Additionally, the increasing reliance on OTA updates introduces another layer of vulnerability, as these updates can be intercepted or manipulated by malicious actors if not properly secured.
AI Manipulation and Cloud-Based Attacks
Emerging threats also include AI manipulation, cloud-based attacks, and sensor data manipulation in autonomous systems. These threats underscore the importance of continuous innovation and vigilance in the field of automotive cybersecurity. The industry must prioritize the development of advanced solutions to address these evolving challenges and protect the connected-car ecosystem. As artificial intelligence becomes more integrated into vehicle systems, safeguarding against potential AI-driven attacks is imperative for ensuring the safety and security of both drivers and passengers.
Cloud-based attacks represent another significant threat, as more automotive companies rely on cloud services for data storage and processing. Protecting these cloud environments from breaches and unauthorized access is essential for maintaining the confidentiality and integrity of critical data. Sensor data manipulation in autonomous systems can lead to dangerous scenarios, making it crucial to implement robust security measures to prevent such incidents from occurring.
VicOne’s Innovative Solutions for Automotive Cybersecurity
xZETA and Smart Cockpit Protection
At the Automotive World 2025 event, VicOne showcased several innovative solutions tailored to protect the connected-car ecosystem. One such solution, xZETA, offers robust capabilities for managing software bills of materials (SBOM) and zero-day vulnerabilities. This advanced tool enables automotive companies to maintain a comprehensive and up-to-date inventory of software components, ensuring swift identification and remediation of any vulnerabilities that may arise. The ability to effectively manage SBOMs is critical in maintaining the integrity and security of modern vehicles’ software systems.
Smart Cockpit Protection, another pioneering solution from VicOne, leverages AI-driven security measures to protect automotive smart cockpits from data breaches and AI-targeted attacks. As smart cockpits become more prevalent in modern vehicles, ensuring their security is paramount to maintaining user trust and safeguarding sensitive information. By employing advanced AI techniques, Smart Cockpit Protection ensures that any potential threats are quickly identified and neutralized, providing a robust defense against cyberattacks.
xCarbon and xNexus
VicOne’s xCarbon system leverages edge AI processing to analyze vehicle data in real-time, enabling early detection and prevention of cyberattacks and malfunctions in in-vehicle electronic control units (ECUs). This sophisticated system continuously monitors vehicle data, identifying any anomalies or potential threats that could compromise the safety and functionality of the vehicle. By utilizing edge AI processing, xCarbon ensures that potential issues are addressed promptly, minimizing the risk of any large-scale cyber incidents.
The xNexus platform, a Vehicle Security Operations Center (VSOC) support platform, is designed to monitor and respond to security threats in real time, ensuring comprehensive protection for connected vehicles. This advanced platform provides a centralized hub for monitoring, analyzing, and responding to potential security threats, offering automotive companies a robust tool to maintain the integrity and security of their vehicle fleets. By integrating these innovative solutions, VicOne demonstrates its commitment to advancing automotive cybersecurity and addressing the evolving challenges faced by the industry.
Collaborative Efforts and Strategic Partnerships
Partnerships with OEMs and Suppliers
VicOne’s booth at the Automotive World 2025 event highlighted the company’s collaborative efforts with its partners, including original equipment manufacturers (OEMs), hardware suppliers, semiconductor vendors, software developers, and service providers. These strategic partnerships are central to VicOne’s comprehensive approach to automotive cybersecurity, ensuring that advancements in vehicle technology come with equally advanced cybersecurity measures. By fostering strong relationships with key stakeholders, VicOne can develop and implement cutting-edge security solutions that address the unique challenges faced by the automotive industry.
Collaborative efforts with OEMs and suppliers enable VicOne to stay ahead of emerging threats and vulnerabilities, ensuring that their security solutions are both proactive and effective. By working closely with industry partners, VicOne can leverage collective expertise and resources to develop innovative cybersecurity measures that protect the entire connected-car ecosystem. These partnerships are crucial for maintaining the integrity and security of modern vehicles, as well as fostering trust and confidence among consumers.
The Role of the Zero Day Initiative (ZDI)
The Zero Day Initiative (ZDI), established by Trend Micro in 2005, encourages the reporting of zero-day vulnerabilities to vendors in a private manner. Researchers are financially rewarded for their findings, making ZDI the world’s largest vendor-agnostic bug bounty program. This initiative plays a vital role in the combined efforts to address the escalating threat landscape in the automotive industry. By incentivizing researchers to identify and report vulnerabilities, ZDI helps to ensure that potential threats are addressed before they can be exploited by malicious actors.
The ZDI program’s success highlights the importance of collaboration and open communication between researchers and vendors. By fostering a culture of transparency and cooperation, ZDI helps to create a more secure and resilient automotive ecosystem. This initiative underscores the need for continuous vigilance and proactive measures in addressing the ever-evolving cybersecurity challenges faced by the industry.
Trend Micro’s Contribution to Automotive Cybersecurity
Global Expertise and Innovation
The automotive industry is currently experiencing a significant transformation due to the advent of cutting-edge technologies. Software-defined vehicles (SDVs), advanced driver-assistance systems (ADAS), and the integration of artificial intelligence (AI) are at the forefront of this revolution. These technological advancements promise not only enhanced functionality but also greater efficiency in automotive performance. However, these innovations also bring with them a new set of cybersecurity challenges that the industry must address. One of the most pressing concerns is the issue of zero-day vulnerabilities. These are previously unknown security flaws that can be exploited by malicious actors before developers have a chance to address them. As the industry increasingly relies on sophisticated software and AI, these vulnerabilities are becoming more common and potentially more dangerous. Consequently, zero-day vulnerabilities are now a major focus in the realm of automotive cybersecurity, shaping strategies and driving the development of more robust security measures to protect vehicles and their users from potential threats.
