The sophisticated computer networks embedded within today’s vehicles, which manage everything from navigation to critical safety systems, have also opened a new frontier for cyber threats that were recently on full display at a major hacking competition in Tokyo. At the Pwn2Own Automotive event, hosted by TrendAI’s Zero Day Initiative (ZDI), ethical hackers from across the globe gathered to systematically dismantle the security of modern automotive technology. The competition served as a stark reminder that as vehicles become more connected, their vulnerability to malicious attacks escalates, raising profound concerns for both personal privacy and physical safety. Over the course of the event, an unprecedented 76 unique zero-day flaws were discovered and responsibly disclosed to vendors, highlighting systemic weaknesses across a variety of critical components. For their efforts in uncovering these hidden dangers, security researchers were awarded a total of $1,047,000, underscoring the industry’s investment in proactively identifying and resolving these crucial security gaps before they can be exploited in the wild.
Record Breaking Exploits on Display
The competition showcased a remarkable level of skill and innovation, with several teams demonstrating complex and novel attack chains against hardened targets. Emerging victorious and earning the coveted “Master of Pwn” title was the team from Fuzzware.io, which took home $215,000 for their exceptional performance. Their winning demonstration included a multi-stage exploit against an Autel EV charger that resulted in complete code execution, a feat that proves even peripheral automotive infrastructure is a viable entry point for attackers. Another significant highlight came from the Synacktiv team, which successfully compromised a Tesla Infotainment system. By leveraging a USB-based attack, they gained deep access to the system, a method that could have serious implications for vehicle control and data security. Furthermore, Synacktiv pioneered a first-of-its-kind exploit by using Near Field Communication (NFC) to target an Autel MaxiCharger, introducing an entirely new attack vector that vendors must now consider in their security designs. These successful breaches of in-vehicle infotainment (IVI) systems, chargers, and core operating systems painted a clear picture of the diverse digital surfaces that require urgent protection.
A Proactive Approach to Vehicle Security
The responsible disclosure of these 76 vulnerabilities marked the beginning of a crucial remediation process, rather than an endpoint. Following the competition, which was co-hosted by VicOne and sponsored by major industry players like Tesla, all details of the discovered flaws were provided to the affected manufacturers. This collaborative framework gives vendors a critical window to develop and deploy patches before the exploits become public knowledge, a process that is vital for protecting consumers. TrendAI noted that this form of proactive research allows it to shield its own customers from emerging threats an average of 71 days ahead of competitors, reinforcing the strategic value of such events. The sheer volume and severity of the vulnerabilities found at Pwn2Own Automotive signaled an urgent need for the automotive industry to embed cybersecurity principles into every stage of the vehicle design and manufacturing lifecycle. The event’s outcomes provided a clear roadmap of where security investments and engineering focus were most needed to build a safer, more resilient future for connected transportation.
