Eight days, a laptop, and a group of relentless cybersecurity experts were all it took to seize remote control of a brand-new electric vehicle—raising terrifying questions about just how vulnerable the high-tech cars in America’s driveways really are.
At a Glance
- White-hat hackers at PlaxidityX remotely seized control of a pre-production BEV, exposing critical security failures.
- Researchers exploited weaknesses in Wi-Fi, hardcoded credentials, and insecure protocols to take over safety-critical vehicle functions.
- The penetration test uncovered that regulatory “compliance” often fails to address real-world, system-wide vulnerabilities.
- Industry leaders and regulators now face mounting pressure to actually secure connected vehicles before production rolls out.
Researchers Show Just How Fast Hackers Can Take Over a Modern BEV
There’s no sugarcoating it: in 2025, as Big Auto races to flood the roads with battery-electric vehicles, PlaxidityX researchers demonstrated how the industry’s cybersecurity “progress” is laughably out of touch with reality. The team, working on a pre-production electric vehicle just days away from mass production, remotely breached the car’s systems in only eight working days. They didn’t just tinker with the radio—they gained full, remote control over the car’s safety-critical functions while it was moving. That means acceleration, braking, steering—the works—all at the mercy of anyone savvy enough to exploit the glaring security holes left by lazy programming and regulatory box-checking.
Hackers Expose Cyber Threats on Pre-Production BEV
Researchers from PlaxidityX show some automakers are not treating the threat from cyber-criminals seriously enough when building the modern software-definedhttps://t.co/Db4AY6OnLT #Automotive #AutomotiveTechnology #IndustryNews— WardsAuto (@WardsAuto) July 29, 2025
These weren’t back-alley hackers looking to cause chaos. PlaxidityX, formerly known as Argus Cyber Security, built their reputation by finding and publicizing vulnerabilities before the bad guys do. But what they uncovered here was not a one-off fluke—it was a catastrophic, system-wide failure. The researchers exploited a laundry list of security sins: unprotected Wi-Fi, hardcoded passwords, weak diagnostic interfaces, and insecure communications protocols. The “protection” that automakers and regulators rely on? Nothing but a paper-thin illusion, easily shredded by anyone willing to dig just a little deeper.
Regulations Lag as Industry Puts Image Over Safety
The battery-electric vehicle at the center of this fiasco wasn’t some prototype cobbled together in a garage. It was a production-ready, software-defined car, supposedly compliant with the much-touted ISO 21434 cybersecurity standard. PlaxidityX’s full-vehicle penetration test, which went far beyond the regulatory checklists, exposed the sad truth: current guidelines fixate on component-level testing and miss the forest for the trees. System-level flaws—those that only appear when all the tech is stitched together—are the ones hackers will exploit, and the automaker’s own compliance officers never saw them coming.
It’s no surprise to anyone who’s been paying attention. The industry has been obsessed with over-the-air updates, smartphone integration, and connecting vehicles to everything from home Wi-Fi to the electric grid. But in their rush to one-up each other in the “smartest car” sweepstakes, manufacturers have left the doors wide open. The Jeep Cherokee hack of 2015 woke up a few people, but here we are, a decade later, and the systemic rot has only deepened. The difference now? Thanks to regulatory half-measures and a supply chain full of third-party code, the attack surface is bigger than ever—and the consequences are far more severe.
Who’s Responsible When the Whole System is Broken?
The finger-pointing has already begun. Automakers rely on a patchwork of suppliers, each responsible for their own tiny piece of the puzzle, but nobody owns the big picture. Regulators set “minimum standards” that sound good in a press release but fail to mandate real-world, continuous testing. Meanwhile, white-hat researchers like PlaxidityX are left waving red flags, warning that compliance is not enough and that the next attack might not be so benign.
Omer Ziv, the lead researcher on the project, minced no words: secure boot, robust credential management, and strong in-vehicle network protections are non-negotiable. But until the industry gets serious about system-level security—and until the regulators start demanding proof, not promises—American consumers are left holding the bag. And let’s be clear: if a group of good guys can take over a car in eight days, what are the odds a bad actor with enough resources couldn’t do it even faster?
