As vehicles become increasingly connected, cybersecurity risks grow more complex — a reality PCAutomotive confronts head-on through rigorous security research and responsible disclosure. In this interview, the team discusses their investigation into the Nissan Leaf’s connected systems, a project born from access and curiosity rather than suspicion. Known for uncovering vulnerabilities across the automotive landscape — from Volkswagen infotainment systems to EV chargers and high-profile hacks at Pwn2Own — PCAutomotive highlights the broader industry implications of their findings. Their goal isn’t to single out manufacturers but to spotlight systemic gaps, especially where regulatory frameworks like UNECE R155 and ISO 21434 fall short without practical, in-depth testing.

What inspired you to investigate the Nissan Leaf’s connected systems specifically?

Just the fact that the Nissan car was available for us to research it.

PCAutomotive performs security research and is responsible for disclosure to other automotive manufacturers and suppliers as well. For example, in December 2024, we disclosed our findings on Volkswagen & Skoda MIB3 infotainment system.

We also shared our research results for EV chargers back in 2023 together with a security advisory for Enel Juicebox to add to previous examples; we participated in the Pwn2Own Automotive contest in January 2025, demonstrating our findings in Alpine, Sony, and Tesla Wallbox charger.

Our focus is the security of the automotive industry as a whole, not the security of a specific vendor. Our goal is not to highlight the problems of a specific provider but to showcase issues that may be common to other manufacturers in the industry. 

Were there red flags, trends, or previous anomalies that led your team to explore this particular model?

No, we didn’t have any preliminary knowledge back when we started this research – just the car and a strong will to hunt for bugs in it.

The DNS-based command-and-control channel is particularly intriguing—why choose DNS, and how difficult is it to detect such traffic in a real-world environment?

The DNS protocol resolves domain names, and since the owner of the car may use in-vehicle-connected services for internet access, it’s hard to strictly whitelist domain names in advance. Therefore, DNS tunnelling may be used for arbitrary information exchange between the car and, in our case, the attacker-controller server. However, it’s definitely possible to detect DNS tunnelling by analysing the length and entropy of hostnames on the network provider’s side, as well as with other publicly known techniques.

When did you first notify Nissan, and how responsive were they to your findings? Have they committed to firmware or hardware changes?

PCAutomotive sent Nissan the security advisory with all the findings on the 2nd of August, 2023. Therefore, the overall time from reporting to disclosing is more than 1.5 years. We also additionally notified Bosch, the original supplier of an infotainment system for Nissan Leaf, in September 2024, although, as we were informed by Nissan, they also communicated with Bosch regarding this case. Nissan’s security team confirmed the vulnerabilities and planned remediations. Unfortunately, PCAutomotive does not have details about the mitigations applied, as Nissan didn’t disclose them to us.

Many manufacturers claim compliance with UNECE R155 and ISO 21434. Based on your findings, are these frameworks sufficient—or are they too theoretical to prevent such attacks?

The introduced frameworks imply cybersecurity requirements and introduce guidelines on how to properly do asset and risk management for automotive products. They don’t exclude but, on the contrary, call for practical offensive security exercises such as penetration tests and vulnerability assessment – tools that can reveal such findings. The thing is that the effort of such tests is not declared (and probably shouldn’t be declared) in these documents, making it up to vendors to decide. Vendors are free to perform quick, simple, and cheap tests just to comply with the regulations. We should keep in mind that although such approach allows to save time and money, it also leaves complex bugs in the products undiscovered.

Do you believe that vehicle cybersecurity should be regulated like aviation or medical cybersecurity—where lives are at stake, and standards are more rigorous?

Although the aviation or medical industry may be more heavily regulated, we have all seen security research and successful hacks of planes and medical devices. Moreover, the automotive industry is also quite regulated from a code quality standpoint and other aspects. We believe strong regulation does not completely eliminate vulnerabilities, and the only way towards security is through research, knowledge sharing, and learning from mistakes. This comes with time.

What types of vehicles or manufacturers do you think are most vulnerable right now—EVs, legacy automakers entering digital ecosystems, or new connected fleets?

We found impactful vulnerabilities in modern EVs, traditional engine cars, and both new and old ones. To our best knowledge, product maturity level depends on a specific manufacturer, their supplier chain, what technology stack they use, and how much they invest in product quality and security tests. It does not depend directly on the type of the manufacturer or fleet.

Finally, what keeps you excited about working in automotive cybersecurity?

Is it the thrill of ethical hacking, the sense of responsibility, or something more?

Breaking cars and vehicle infrastructure is a challenging and fun task for us. At the same time, although having started as purely an automotive R&D company, now we are not limited to the automotive industry – we research products in other industries (e.g. Financial services, industrial IIoT, manufacturing, energy, etc.) as well, and we plan to keep extending our scope of services.