Automotive systems get pwned at Pwn2Own Automotive 2026

Automotive systems get pwned at Pwn2Own Automotive 2026

Briefly

"infosec in brief T'was a dark few days for automotive software systems last week, as the third annual Pwn2Own Automotive competition uncovered 76 unique zero-day vulnerabilities in targets ranging from Tesla infotainment to EV chargers. A record 73 entries were included in this year's competition at Automotive World in Tokyo, and, while not all were successful, Trend Micro's Zero Day Initiative still ended up paying out more than $1 million to successful competitors. For those unfamiliar with the structure of a Pwn2Own competition, ethical hackers and security experts enter with plans to perform a certain exploit, which they must do in a limited time."

"Cash prizes are awarded for successful attempts, as are points, with both increasing based on uniqueness, impact, and complexity. The largest single-exploit payout (and point award) of the three-day event went to the eventual winners, a trio of security researchers from Fuzzware.io, on the first day. The team took home $60,000 and earned six points by exploiting a single out-of-bounds write vulnerability in the Alpitronic HYC50 EV charger. Fuzzware hackers ended up earning the Master of Pwn title with a total of 28 points and total winnings of $215,500 over seven successful demonstrations."

"In addition to Fuzzware's successful attack on the HYC50, another team also managed to exploit a Time-of-Check to Time-of-Use vulnerability in the charger, which they leveraged to install a playable version of Doom on the charger's screen, earning the $20,000. The HYC50 was also hit by another team that exploited an exposed "dangerous" method in the charger. The Tesla infotainment system was also fully taken over by the Synacktiv team by chaining an information leak with an out-of-bounds write vulnerability, and Automotive Grade Linux was compromised via a trio of vulnerabilities."