Tesla & Automotive Tech Hacked – Pwn2Own Automotive 2026

January 21, 2026 Faeem BLOGS 0

The Pwn2Own Automotive 2026 competition in Tokyo has already made headlines: researchers exploited 37 zero-days on day one, earning $516,500 in rewards while demonstrating critical vulnerabilities across Tesla systems, EV chargers, and infotainment platforms.

Key Highlights – Day 1

  • Tesla Infotainment System
    • Synacktiv Team chained an information leak + out-of-bounds write to gain root permissions via USB.
    • Reward: $35,000.
  • Sony XAV-9500ES Digital Media Receiver
    • Synacktiv chained three vulnerabilities for root-level code execution.
    • Reward: $20,000.
  • Alpitronic HYC50 Charger, Autel Charger, Kenwood DNR1007XR
    • Fuzzware.io hacked all three.
    • Reward: $118,000.
  • Phoenix Contact CHARX SEC-3150 Charging Controller
    • PetoWorks chained three zero-days for root privileges.
    • Reward: $50,000.
  • ChargePoint Home Flex, Autel MaxiCharger, Grizzl-E Smart 40A
    • Team DDOS exploited vulnerabilities across all three.
    • Reward: $72,500.

Day 2 Targets

  • Grizzl-E Smart 40A → targeted by 4 teams.
  • Autel MaxiCharger → targeted 3 times.
  • ChargePoint Home Flex → targeted by 2 teams.
  • Phoenix Contact CHARX SEC-3150 → targeted by Fuzzware.io for a $70,000 reward.

Competition Context

  • Event: Automotive World Conference, Tokyo (Jan 21–23, 2026).
  • Focus: Fully patched IVI systems, EV chargers, Automotive Grade Linux.
  • Disclosure policy: Vendors have 90 days to patch before Trend Micro’s Zero Day Initiative (ZDI) publishes details.
  • History:
    • 2025: $886,250 awarded for 49 zero-days.
    • 2024 (first contest): $1.32M awarded, 49 zero-days demoed, Tesla hacked twice.

Security Implications

  • Automotive attack surface expanding: Infotainment systems, EV chargers, and connected car OS are now prime targets.
  • Supply chain risk: Vulnerabilities in chargers and IVI systems could cascade across fleets.
  • Tesla spotlight: Continues to be a high-value target due to its connected ecosystem.

Takeaway

Pwn2Own Automotive 2026 underscores how connected vehicles and EV infrastructure are now critical cybersecurity battlegrounds. With 37 zero-days exposed in a single day, vendors face urgent pressure to patch before attackers in the wild exploit similar flaws.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.