Key points of this blog:
NFC interfaces on electric vehicle (EV) chargers can be exploited via stack-based buffer overflows, turning contactless convenience features into attack entry points.
Hardcoded credentials in EV charger firmware can contribute to fleet-wide risk when reused across devices or chained with weak update validation.
USB interfaces in IVI systems remain viable attack surfaces when paired with chained memory-safety vulnerabilities.
Pwn2Own Automotive 2026 made one thing clear: the connected vehicle attack surface is expanding beyond the vehicle itself. Co-hosted by VicOne and TrendAI Zero Day Initiative (ZDI) at Automotive World in Tokyo, Japan, the three-day competition set a new record with 76 unique zero-day vulnerabilities discovered across EV chargers, in-vehicle infotainment (IVI) systems, Tesla interfaces, and other automotive technologies.
The contest did not reveal theoretical risks. It demonstrated how contactless interfaces, hardcoded credentials, and physical interfaces can become attack paths in real-world automotive and charging infrastructure.
For security teams, the value of these results is not only in the number of zero-days discovered, but also in the familiar and emerging attack surfaces they reveal. This blog focuses on three attack surfaces with immediate practical implications: NFC-enabled EV chargers, hardcoded credentials in EV charging firmware, and USB-based infotainment access.
The analysis is based on Pwn2Own Automotive 2026 results and VicOne CyberThreat Research Lab’s preliminary observations. Because full technical details may not yet be publicly available, the discussion below focuses on attack-surface patterns security teams can evaluate now while the responsible disclosure process continues in accordance with TrendAI ZDI’s disclosure policy.
A simple NFC tap becomes an attack surface
At Pwn2Own Automotive 2026, the Synacktiv team used NFC to exploit the Autel MaxiCharger AC Elite Home 40A electric vehicle (EV) charger via a stack-based buffer overflow. A single NFC tap triggered code execution that altered the charger’s output behavior — something TrendAI ZDI stated was a Pwn2Own first: NFC had never been used to compromise an EV charger in a public demonstration before.
NFC is a consumer-facing feature built for convenience: payments, pairing, and access control. It is not typically treated as a security boundary. Yet in this exploit, NFC input reached embedded parsing logic with insufficient memory-safety protections, enabling code execution that affected charging output behavior. The interface designed for ease became the path in.
What this means for security teams: Modern electric vehicle supply equipment (EVSE) increasingly exposes contactless interfaces to user interaction. Where user-controlled input interacts with embedded parsing or operational controls, those interfaces need to be treated as potential attack surfaces — not just usability features.
Key focus areas for NFC and contactless interface security
NFC input validation: Contactless interactions should be subject to the same input validation rigor as any network-facing interface. Unvalidated input reaching embedded parsing logic was a key condition in this exploit, though successful exploitation depends on multiple compounding factors.
Memory-safety protections: Stack-based buffer overflows remain exploitable in embedded EVSE firmware. Memory-safe coding practices and compiler-level mitigations reduce the conditions that make these exploits viable.
Interface isolation: A compromised convenience feature should not have a direct path to operational controls. Segmentation between contactless interfaces and charging output logic limits the impact of a successful exploit.
Hardcoded credentials and the risk of repeated exposure
Researchers from the 299 team exploited hardcoded credentials (CWE-798) to achieve code execution via a download of code without integrity check (CWE-494) on the Grizzl-E Smart 40A EV charger. The result points to a persistent embedded-systems problem: credentials and access mechanisms become risky when they are hardcoded, shared, based on defaults, or difficult to rotate.
In EV charging infrastructure, these weaknesses are not just local device concerns. Hardcoded or default credentials may expose maintenance, provisioning, management, or update-related functions. Separately, missing or insufficient authentication can directly expose critical functions. These paths should not be treated as one mandatory sequence; rather, they represent different ways to obtain access to sensitive charger functions.
The risk becomes more serious when access to those functions is paired with weak validation of firmware, update packages, scripts, configuration packages, or other executable content. If such content is accepted without sufficient origin and integrity checks, attackers may have a path to install or execute crafted code.
Why this matters for charge point operators
For charge point operators (CPOs), this can create repeatable exposure across similar deployments, especially where credentials, update mechanisms, or maintenance access patterns are reused.
| Risk area | Potential impact |
|---|---|
| Unauthorized access | Attackers using known credentials to access management interfaces |
| Device compromise | Code execution enabling persistent access or configuration changes |
| Service disruption | Interference with charging availability or billing accuracy |
| Fleet-wide exposure | Credential or firmware weaknesses replicated across all deployed units |
Key focus areas for credential and firmware security
Credential and privileged access management: Privileged functions should not rely on hardcoded, shared, default, or predictable credentials. Sensitive provisioning, maintenance, management, and update operations should require strong authentication. Credentials should be unique, revocable, and, where possible, replaceable, with processes to rapidly rotate compromised credentials across deployed fleets. Elevated-access maintenance interfaces should be restricted, monitored, and designed to minimize impact if credentials are exposed.
Firmware and executable content integrity validation: Firmware, updates, scripts, and configuration packages should be cryptographically verified before installation or execution. Devices should reject content with invalid, missing, or unverifiable integrity checks to prevent execution of untrusted code. Validation should cover both firmware images and auxiliary content that can modify device behavior or establish persistent access.
USB remains a high-risk entry point
At Pwn2Own Automotive 2026, the Synacktiv team chained an information leak with an out-of-bounds write to exploit the Tesla infotainment system via the USB port, as documented in VicOne’s Day 1 coverage of Pwn2Own Automotive 2026. A full compromise was executed by plugging in a USB device.
The result is notable because USB is one of the most familiar and easily accessible physical interfaces in a vehicle, yet it can still introduce untrusted data into complex infotainment software. The combination of an information leak and an out-of-bounds write also shows how separate memory-safety issues can be chained to make exploitation more reliable.
The risk is not the USB port itself. It is the complex infotainment software that processes whatever the port introduces. Even where segmentation limits access to safety-critical vehicle domains, compromise of the IVI layer carries real consequences: privacy exposure, operational disruption, brand impact, and potential downstream security concerns.
Key focus areas for USB interfaces in infotainment systems
Media parser hardening: Infotainment systems can process a wide range of file types and data formats introduced via USB. Each parser represents a potential attack surface. Fuzzing and input validation testing should cover the full range of formats the system accepts.
System-level memory protection: Strong OS-level mitigations can make memory corruption vulnerabilities harder to weaponize. Protections such as Address Space Layout Randomization (ASLR), Data Execution Prevention or non-executable memory (DEP/NX), stack canaries, and Control Flow Integrity (CFI) help reduce the chance that an information leak or out-of-bounds write can be turned into reliable code execution.
IVI isolation: The infotainment layer should be isolated from more sensitive vehicle domains. The degree of isolation determines how far a successful IVI compromise can reach.
USB input policy: Data introduced via USB should be treated as untrusted input, regardless of the apparent source. Physical access to a USB port should not imply implicit trust in the data it carries.
What Pwn2Own Automotive 2026 tells us about the direction of automotive cyber risk
Across the three attack surfaces, a consistent pattern emerges: the interfaces and design choices that make connected vehicles and EV infrastructure usable can also create exploitable conditions when trusted too broadly.
NFC enables contactless convenience. Hardcoded credentials may support maintenance or device access. USB ports enable data transfer. These are legitimate design choices, but they can become viable attack paths when they are allowed to influence sensitive functions without enough validation, isolation, or integrity checks.
The direction is clear: automotive cyber risk is expanding from individual vehicle components to the interfaces, credentials, software paths, and connected infrastructure that support mobility at scale.
Key takeaway: For OEMs, Tier 1 suppliers, and CPOs, the practical question is not whether these risks exist. It is how quickly they can identify affected systems, prioritize what matters most, and respond before vulnerabilities move beyond a controlled research environment.
As in previous editions, Pwn2Own Automotive 2026 helped surface these attack-surface patterns before malicious actors could exploit them. Zero-day vulnerability discovery is the starting point. From there, security teams need the intelligence, context, and workflows to assess exposure, prioritize response, and reduce long-term risk.
VicOne supports this through xAurient, which delivers automotive threat intelligence for earlier risk visibility, and xZETA, which helps teams manage vulnerabilities and SBOMs across the vehicle lifecycle.
Pwn2Own Automotive 2026 may have crossed the finish line, but the work it points to is ongoing: strengthening the systems, interfaces, and trust boundaries that will define the future of connected vehicle security.