Pwn2Own Automotive Competition: Participants Crack Tesla and Charging Stations

Contents

For car manufacturers like Tesla, this year's Pwn2Own Automotive competition was a debacle. After all, the participating teams successfully exploited numerous vulnerabilities and, among other things, played "Doom" on a charging station.

Background

At Pwn2Own competitions, security researchers confront computers, technology, and cars to crack them. If successful, they receive prize money and, in the best case, the affected manufacturers quickly release security patches. After Pwn2Own Automotive 2026, they will certainly have a lot to do. In total, participants uncovered 76 zero-day vulnerabilities. This is how software vulnerabilities are described for which there is no security update yet. Whether patches have been released in the meantime is not yet known.

The competition is organized by Trend Micro's Zero Day Initiative. They have compiled the results in their blog.

Successful Attacks

The organizers state that they have paid out a total of just over 1 million US dollars in prize money. Team Fuzzware.io secured first place in the overall standings. This earned them 215.000 US dollars. In return, they successfully attacked the ChargePoint Home Flex (CPH50-K) charging station, among other things.

On the very first day of the competition, Tesla's infotainment system had to yield. The Synacktiv team combined two vulnerabilities to trigger a memory error via a USB-based attack. Such a condition is often the basis for executing malicious code.

Will it run "Doom"?

Several security researchers took on the Alpitronic HYC50 charging station, and in the end, the first-person shooter "Doom" ran on it. This earned them 20.000 US dollars. For security reasons, there are no further details available at this time about the vulnerabilities exploited in the competition. It remains to be hoped that car and charging station manufacturers react quickly and release security patches promptly.

(des)