Robert Lemos, Contributing Writer January 23, 2026 4 Min Read Source: Trend AI's ZDI A simple swipe of a card near an electric vehicle charger is all it took to execute a buffer overflow and take over its automotive system. The demonstration, part of the annual automobile-focused Pwn2Own competition in Tokyo, allowed a security researcher with the Synacktiv team to compromise an Autel MaxiCharger AC Elite Home 40A using near-field communication (NFC). "They just essentially walked up to an EV charger, hit it with an NFC card, and took it over like that," says Dustin Childs, head of threat awareness for Trend AI's Zero Day Initiative. "That was amazing to see." The contest put on display the still-problematic insecurities of many of the IT and operational-technology (OT) components of vehicle systems. In the first two days of the three-day contest, researchers showed off 66 unique zero-day vulnerabilities, winning nearly a million dollars. Five in every six attempts succeeded, but about a third of the attempts had one or more "collisions" — the researchers tried to exploit a vulnerability used earlier in the competition. Most of the attacks focused on either aftermarket in-vehicle infotainment (IVI) systems or electric-vehicle (EV) chargers. The infotainment systems were often vulnerable to simple, unpatched bugs, while the EV chargers appeared to have improved security, but still possessed a large attack surface, says Childs. In addition to compromising a device through NFC, other researchers used Bluetooth or — on EV chargers — the charging gun itself. "If it can be compromised, it eventually will be compromised," Childs says. "The potential for any compromise — what you could possibly do with this stuff — is really kind of frightening because you're talking about a vehicle ... it's them affecting the operation of your vehicle, which could be really problematic." While the exploit crews were required to compromise previously unknown zero-day vulnerabilities, the lessons echo those of the past decade. Since the 2015 hack of GMC Jeep , infotainment systems have continued to be a soft target. Car Infotainment Systems Still Easy to Hack This year, ZDI had to ban specific vulnerabilities, because the infotainment-system manufacturers still had not patched them from the previous year . The latest contest is the third annual Pwn2Own specifically targeting automotive systems. ZDI typically runs three contests a year, each with a different focus. IVI systems are a popular target of vulnerability researchers because they tend to have access to the majority of a car's systems and are not well protected, says Alex Plaskett, associate director of security research at NCC Group, a cybersecurity consultancy, who has participated in previous Pwn2Own contests. "The security posture of IVIs in general is not at the same level as, say, a high-end mobile phone, like iOS and Android," he says. "IVIs that we looked at have just been lacking mitigations and they've been a lot easier to exploit." Because car components often lack holistic security design and review processes, attackers can also make use of intended functionality in novel ways, says Liz James, managing security consultant at NCC Group. We are entering a realm where exploits can come from malicious use of intended functionality, she says. "Often, the issue hasn't arisen due to a bug, but instead, it's a lack of security depth in the architecture surrounding sensitive administrative tasks — such as dealership diagnostics, warranty claims, and servicing interfaces that has led to capabilities being misaligned," she says. "If these pathways aren't secured with defense-in-depth, an attacker doesn't need a bug; they can simply abuse the system's own maintenance tools to compromise a fleet." More Ways to Gain a Beachhead for EV, Charger Hacks This year's contest also demonstrated that hackers are finding little known facets of the vehicular attack surface to use as a way into automotive systems. In addition to the aforementioned compromise through NFC, other teams used the signals sent through the charging gun of EV chargers as a way to exploit the devices. In the most successful case, the team compromised the Alpitronic HYC50, a Level 3 fast charger used in the United States and other countries. "Essentially starting from a vehicle, you can plug in and then compromise the EV charger," ZDI's Childs says. "And it goes both ways — it's one of those trends that's like, wow, this is a level of communication we really didn't think happened." While electric-vehicle adoption has slowed in the United States, accounting for only 8% of new vehicle sales in 2025, they continue to account for nearly a quarter of worldwide sales (22%), according to the International Energy Agency . In addition, even gas-powered vehicles are adopting software-defined designs, which are easier to maintain but also have a larger attack surface . While gas pumps and fuel-monitoring systems have had their share of vulnerabilities , the connectedness of electric vehicles and the charging infrastructure raises additional risks, says NCC Group's James. "Electrification is the clear industry path, but the infrastructure is at higher risk because it is connected by design," she explains. "EV infrastructure is being built and deployed at high speed, with network functionality integrated into every layer before the industry has fully established the long-term resiliency patterns we see in older sectors." About the Author Robert Lemos, Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. See more from Robert Lemos, Contributing Writer