Hundreds of thousands of vehicles from a major China-based automotive manufacturer are driving on the road today with serious cybersecurity vulnerabilities—leaving them open to remote hacking. While the company’s name remains undisclosed due to regulatory constraints, reports confirm that over 150,000 cars sold in 2024 are potentially affected by these alarming flaws.
Cybersecurity researchers Yingjie Cao and Xinfeng Chen uncovered the vulnerabilities, warning that the flaws could allow hackers to execute man-in-the-middle (MiTM) attacks and gain partial remote control of the affected vehicles. The duo plans to present their findings next month at Black Hat Asia, shedding light on how these bugs compromise two specific car models.
One of the most dangerous vulnerabilities was found in the vehicle’s in-vehicle infotainment (IVI) system, also known as the head unit. According to Cao, this flaw allows attackers to execute low-privilege code on the system, potentially pivoting deeper into critical vehicle controls.
“We were able to gain control over basic car functions—opening doors, windows, the trunk, and even controlling the headlights,” Cao explained. He initially identified the issue back in 2021 and has since demonstrated how attackers can chain exploits, moving from the infotainment system into other applications to escalate privileges further.
Adding to the threat, the team also uncovered a critical flaw in the car’s companion app, discovered just last year. This vulnerability stems from the app’s failure to use a trusted certificate. By simply injecting a fake certificate, Cao and Chen managed to hijack the app’s traffic entirely—stealing tokens that allowed them to remotely control the car.
What’s even more concerning is the simplicity of the attack. The researchers described the MiTM exploit as “beginner-level,” meaning that anyone with basic cybersecurity knowledge could potentially replicate it. With remote access in hand, a threat actor could manipulate vehicle functions with little resistance.
These revelations highlight a dangerous gap in the auto industry’s ability to secure its increasingly connected vehicles. Modern cars are rapidly becoming software-defined machines, which means more code—and more potential vulnerabilities—lurking under the hood.
A recent Synopsys and SAE International study revealed a troubling lack of cybersecurity resources in automotive companies. On average, car manufacturers employ just nine full-time cybersecurity experts. Shockingly, 30% of organizations have no cybersecurity team at all. Even those with some defenses test less than half of the software, hardware, and other digital systems within their vehicles.
The result? Vulnerabilities continue to surface, and often remain unpatched. Mazda, for instance, recently had six critical bugs uncovered in its IVI system—some exploitable through a simple USB connection. One vulnerability even allowed attackers to jump to the CAN bus, the core system responsible for a car’s physical operations like steering and braking.
Remote Cars Hacking Without Physical Access
What makes Cao and Chen’s research groundbreaking is that they uncovered these flaws without purchasing or disassembling any car parts. Instead, they demonstrated how attackers could exploit these systems entirely remotely—a chilling reminder that physical access is no longer a requirement for hacking vehicles.
“Our goal is to show that remote testing can expose real-world vulnerabilities,” Cao explained. “We didn’t buy any proprietary components. Everything was tested remotely.”
As automakers race to roll out new software-driven features, they’re also expanding the attack surface. Without urgent action, including better investment in real-time cybersecurity defenses, the risk of remote car hacking could soon move from theory to devastating reality on the road.
