By VicOne and Block Harbor
Nearly 500 people around the world stepped into a simulated automotive cyber battleground this August. From August 22 to September 1, VicOne and Block Harbor co-hosted the 2025 Global Vehicle Cybersecurity Competition (VCC). Over 11 days, competitors of all skill levels faced near real-world scenarios: unlocking ECUs, reverse-engineering CAN logs, and stopping malicious firmware.
VCC at a glance
Dates: August 22 to September 1, 2025
Participants: 480+ from first-timers to seasoned professionals
Scope: 8 challenges across red team and blue team
Solves: 269 total, with 5 individuals clearing the full set
Why this matters right now
Automotive security is living in a dual-track risk era.
- Legacy vehicles are still on the road. Traditional ECU and CAN bus weaknesses remain available to attackers.
- New vehicles are software-defined. OTA updates, cloud APIs, and complex supply chains introduce new attack surfaces.
These risks are not theoretical. VicOne Threat Intelligence has observed a steep rise in automotive-focused cyber activity by 600% over the past four years. The VCC was designed to reflect what defenders are facing today, not a decade from now.
What competitors faced
Each challenge mirrored a real class of attack or defense task, and each included a practical takeaway.
Red team highlights
- Wired Keyless Entry: The automotive industry faced the reality that legacy and next-generation chipsets will coexist for years to come. The question is whether today’s security access code mechanisms are truly sufficient.
- Focus: Security access controls on ECUs in mixed legacy environments
- Takeaway: Recognize weaknesses in access mechanisms to inform more resilient hybrid designs
- Difficulty: ★★★☆☆
- Tune-Up Trouble: An OTA update was hijacked, allowing a malicious firmware image to overwrite an ECU. This underscored that update mechanisms are not just about delivering new features. They can also become supply chain attack vectors.
- Focus: OTA update workflow abused to deliver malicious firmware
- Takeaway: Verification must be enforced end to end to prevent supply chain insertion
- Difficulty: ★★★★★
- Password Change Policy: Just as attackers move laterally across compromised ECUs, this challenge required participants to trace those movements by reverse-engineering CAN logs.
- Focus: Reverse-engineering CAN logs to reconstruct hidden attacker behavior
- Takeaway: Log analysis and session reconstruction are core to incident response
- Difficulty: ★★★★☆
- Autograph: SDVs depend on signatures and PKI for their software trust chain. But once compromised, advanced persistent threats (APTs) can hide in plain sight.
- Focus: Abusing signature trust and PKI to enable long-term persistence
- Takeaway: Understand signature and PKI failure modes to harden the trust chain
- Difficulty: ★★☆☆☆
Blue team highlights
- Red Alert: Security in SDVs isn’t just about tools, it’s about collaboration. Here, participants analyzed abnormal CAN messages and coordinated their response as if in a VSOC environment.
- Focus: Detecting abnormal CAN traffic and coordinating response as a VSOC team
- Takeaway: Faster anomaly detection plus cross-team response reduces dwell time
- Difficulty: ★★★★★
- SAE EAS: As automotive communication shifts to encryption, legacy and next-gen CAN will coexist. This challenge simulated key management and decryption issues in a mixed environment.
- Focus: Operating across generations of encrypted CAN with mixed key management
- Takeaway: Strong key lifecycle practices and consistent reporting are essential
- Difficulty: ★★★☆☆
- Firmware Reveal: Firmware is the beating heart of SDVs, but it can also carry hidden malware. Participants were asked to reverse-engineer firmware and detect suspicious behavior.
- Focus: Finding malicious payloads inside firmware images
- Takeaway: Firmware forensics skills help teams “speak the hacker’s language”
- Difficulty: ★★★★★
- TARA Quiz: True defense starts at the design stage. This challenge tested participants on applying Threat Analysis and Risk Assessment (TARA) to anticipate risks before they materialize.
- Focus: Applying Threat Analysis and Risk Assessment at design time
- Takeaway: Embedding security into development is the foundation of risk management
- Difficulty: ★☆☆☆☆
Building the next-gen defender
The challenges at VCC weren’t designed at random. Each one was built around real industry pain points:
- OTA that is authorized but not fully verified can become a delivery channel for malicious code.
- Inconsistent key management across encrypted CAN implementations opens large-scale exposure.
- Compromised firmware signatures let attackers hide in plain sight.
- Skipping systematic risk assessments like TARA leaves gaps that later become incidents.
VCC turned these realities into hands-on learning so participants could practice both offense and defense, then bring the lessons back to their organizations. Our goal is bigger than a leaderboard. The industry needs practitioners who can:
- Think like an attacker and respond like a defender across the full vehicle lifecycle.
- Operate across generations, securing legacy platforms and modern SDVs.
- Translate technical insight into business impact for OEMs, suppliers, and insurers.
What's next
- Explore the findings. Our 2025 Threat Report connects these scenarios to trends and real incidents.
- Join the community. Keep updated for workshops and future challenges from VicOne and Block Harbor.
- Bring VCC to your team. If you are an OEM, Tier 1, or insurer, ask about tailored training based on these scenarios.
The 2025 Global VCC closing is just a starting point as we continue to translate real automotive risks into practical scenarios so more engineers, analysts, and students can train in a safe, realistic environment. The defenders in-training today will ensure the safety of the vehicles of tomorrow.
_Risk-EN/vicone_agentic-ai_web-banner-EN.png)
