By Jason Yuan (Engineer, Automotive)
At Pwn2Own Automotive 2024, McCaulay Hudson and Alex Plaskett, security researchers from the NCC Group, demonstrated a three-bug exploit chain against the Pioneer DMH-WT7600NEX in-vehicle infotainment (IVI) system.
Their attack combined the following vulnerabilities: CVE-2024-23928 which involved improper HTTPS certificate validation and enabled session hijacking; CVE-2024-23929, a directory traversal flaw that allowed unauthorized file creation; and CVE-2024-23930, improper exception handling leading to denial of service.
By chaining these vulnerabilities, the researchers achieved remote code execution (RCE) and implanted persistent spyware — highlighting significant security risks for the automotive industry.
According to Trend Zero Day Initiative™ (ZDI), VicOne’s co-host for Pwn2Own Automotive and partner in vulnerability discovery and disclosure, Pioneer has already issued a firmware update to address the vulnerabilities.
The researchers presented their findings at the recent Insomnihack conference in Switzerland. In this blog entry, we provide an overview of the multi-bug exploit chain and discuss industry best practices for mitigating similar exploits.
Importance of securing IVI systems
Modern IVI systems serve as more than entertainment hubs — they also provide navigation, internet connectivity, and integration with critical vehicle functions. Both original equipment manufacturer (OEM) and aftermarket IVI units, such as the Pioneer DMH-WT7600NEX, handle sensitive user data and often have privileged access to vehicle functions.
Vulnerabilities in these systems could allow attackers to track a vehicle’s real-time location, eavesdrop on conversations, steal personal information, or even manipulate vehicle behavior, potentially altering driving modes or powertrain settings.
Overview of the three-bug exploit chain
The researchers first bypassed security measures protecting firmware extraction, shifting the system analysis from “blackbox to whitebox,” or moving from limited external testing to full visibility of the system’s internal architecture and its potential weak points.
Another significant breakthrough was the discovery of an HTTPS certificate validation flaw, which left the system vulnerable to man-in-the-middle (MITM) attacks, allowing attackers to hijack user sessions. They also discovered that malicious dependency files could be imported directly from an external USB device, enabling persistent spyware installation.
Figure 1. Attack chain illustrating how the security researchers achieved persistent spyware implantation on the Pioneer DMH-WT7600NEX IVI system
Mapping the exploit chain to the Automotive Threat Matix
To better understand the attack’s scope, we mapped out the researchers’ exploit methodology to the Automotive Threat Matrix (ATM), demonstrating how this framework helps identify, classify, and mitigate cybersecurity risks in automotive systems. Our mapping also underscores the structured nature of automotive cybersecurity analysis and emphasizes the need for systematic defenses aligned with recognized threat models.
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Physical Modification | ATM-T0016 | Tampering system credentials via in-circuit programming to modify the /etc/shadow file |
| Manipulate Environment | Manipulate Communications | ATM-T0003 | Leveraging improper HTTPS certificate validation to enable session hijacking |
| Initial Access | Exploit via Removable Media | ATM-T0013 | Introducing malicious payloads via external USB devices |
| Privilege Escalation | Exploit OS Vulnerability | ATM-T0026 | Using CVE-2016-5195 (Dirty COW) to gain root privilege |
| Collection | Location Tracking | ATM-T0043 | Utilizing spyware to track GPS coordinates in real time |
| Collection | Data From Local System | ATM-T0059 | Accessing and exfiltrating sensitive user data such as call logs and cookies |
Security observations on the affected IVI system
The researchers noted several existing security measures in the Pioneer IVI systems, including mount privilege control, which restricted write permissions primarily to external USB media.
At the same time, their assessment surfaced areas where additional safeguards could be beneficial. Although a watchdog mechanism was in place to protect the firmware extraction process, further improvements such as adopting encryption standards and utilizing advanced eMMC security protocols could enhance protection.
The researchers noted that Pioneer had addressed the HTTPS validation issue by introducing stricter session-based certificate validation, mitigating the risk of similar future exploits.
Industry best practices
To bolster automotive cybersecurity, manufacturers should adopt comprehensive strategies that integrate both proactive risk management and compliance with industry standards and regulations.
Maintaining a complete and up-to-date software bill of materials (SBOM) is vital for tracking components and identifying vulnerabilities across the software supply chain. Compliance with established cybersecurity standards and regulations such as ISO/SAE 21434 ensures a structured approach to risk management. Additionally, following guidelines from authorities such as the US National Highway Traffic Safety Administration (NHTSA) further strengthens the security posture of automotive systems.
By implementing such best practices, the automotive industry can better protect vehicles amid evolving automotive cybersecurity challenges, safeguard user privacy, and reinforce trust in connected vehicle technologies.
A background on coordinated disclosure timelines
The timeline of public vulnerability disclosures can seem unclear to many. For example, there is often a delay between Trend ZDI’s announcement that a team has successfully hacked or “pwned” a device at a Pwn2Own event and the subsequent publication of the techniques used in the attack. This delay is part of the coordinated vulnerability disclosure (CVD) process, which aims to manage zero-day vulnerabilities responsibly.
In the 1990s, only a small number of hackers actively searched for vulnerabilities, and many vendors were unprepared to handle them. Concerns arose from both sides: “Are hackers submitting vulnerabilities in exchange for benefits?” and “Will these vulnerabilities actually be fixed, or will the effort be wasted?” The compromise became clear: Hackers would first submit vulnerabilities to vendors, who would then release a patch and publicly acknowledge the researchers for their discovery.
According to Trend ZDI’s disclosure policy, a submitted vulnerability is disclosed when a patch becomes available — or after a certain period if the vendor remains unresponsive. This approach either addresses the vulnerability or informs the public about an unresolved issue, reducing the likelihood of exploitation. This explains the time gap between initial discovery and full public disclosure.
