Hacking a head unit with malicious PNG
Danilo Erazo
DEF CON 33 · Day 1 · Main Stage
In a compelling presentation at DEF CON, Danilo Erazo, founder of RE Everything, unveiled a significant **zero-day technique** targeting Kia **infotainment consoles**. The talk, titled "Hacking a head unit with malicious PNG," detailed a sophisticated method to compromise these in-car systems by injecting **malicious PNG** files into the device's **firmware**. This vulnerability stems from a critical oversight in the system's **integrity verification** process, specifically concerning the visual assets displayed on the screen.
AI review
Solid automotive embedded security research with a real zero-day, genuine hardware teardown, and a complete end-to-end attack chain demo. The vulnerability itself — missing integrity verification on PNG assets despite a nominally secure boot chain — is a clean, well-scoped finding that makes a point the industry keeps ignoring. Not a world-ender, but it's real work on a real target with receipts.