Listen to this Post
Introduction: When Vehicles Become Data Centers on Wheels
Modern vehicles are no longer just machines that move people from point A to point B. They are rolling data platforms—constantly connected, continuously updated, and deeply integrated with cloud services, mobile apps, and charging infrastructure. From infotainment systems and telematics units to electric vehicle (EV) chargers and automotive operating systems, today’s cars generate and exchange massive volumes of data. This connectivity brings innovation and convenience, but it also introduces serious cybersecurity risks.
Against this backdrop, security researchers and automotive manufacturers are racing to identify vulnerabilities before attackers can exploit them. One of the most influential arenas for this work is Pwn2Own Automotive, a global hacking competition focused on responsibly uncovering zero-day vulnerabilities. The latest edition, hosted in Tokyo by TrendAI’s Zero Day Initiative™ (ZDI), revealed just how exposed connected vehicle ecosystems still are—and why proactive security research is no longer optional.
Overview of the Event and Its Mission
The TrendAI Zero Day Initiative™ has long been recognized as a leader in vulnerability research, and its focus on connected vehicles reflects the rapid digitalization of the automotive industry. Last week’s Pwn2Own Automotive event in Tokyo brought together elite security researchers from around the world, challenging them to identify and responsibly disclose previously unknown flaws in automotive technologies.
The scope of targets was broad and deliberately realistic. Researchers were invited to probe electric vehicle chargers, in-vehicle infotainment (IVI) systems, automotive operating systems, and communication protocols that underpin connected mobility. The goal was not chaos, but clarity: expose weaknesses so vendors can fix them before malicious actors exploit them in the wild.
A Record Number of Vulnerabilities Disclosed
The results were striking. Over the course of the event, participants disclosed a total of 76 previously unknown vulnerabilities across automotive and EV charging systems. These findings were not theoretical; they demonstrated real-world attack paths that could lead to data leakage, system compromise, or unauthorized control of critical components.
To reward responsible disclosure, TrendAI ZDI awarded $1,047,000 in prize money, underscoring both the value of the research and the seriousness of the threats involved. The competition also highlighted how complex and interconnected modern vehicle ecosystems have become—where a flaw in one component can cascade across multiple systems.
Fuzzware.io Claims the Master of Pwn
Among the standout performers was Fuzzware.io, which earned the coveted Master of Pwn title. Their work netted them $215,000, reflecting both the technical sophistication and the real-world impact of their exploits.
The Fuzzware.io team successfully chained multiple vulnerabilities to achieve code execution on the Autel MaxiCharger AC Elite Home 40A EV Charger. Beyond simply demonstrating access, they showed how attackers could manipulate the ChargePoint signal—an attack vector with potentially serious implications for charging integrity, billing accuracy, and grid interaction.
Synacktiv’s Breakthrough Attacks
Another major highlight came from Synacktiv, a well-known name in the offensive security community. In the USB-based Attack category, the team chained an information leak with an out-of-bounds write to exploit the Tesla Infotainment system. This demonstrated how seemingly minor flaws can be combined to achieve deeper system compromise.
Synacktiv also made Pwn2Own history by leveraging NFC-based attacks against the Autel MaxiCharger AC Elite Home 40A, using the Charging Connector Protocol and Signal Manipulation add-on. This marked the first time NFC was successfully used in this context at the competition, expanding the known attack surface for EV charging infrastructure.
Industry Collaboration Behind the Scenes
Pwn2Own Automotive was not a solo effort. The event was co-hosted by VicOne in partnership with TrendAI ZDI and sponsored by Tesla, with additional support from Alpitronic and the Open Charge Alliance. This collaboration reflects a growing recognition across the industry: cybersecurity in automotive ecosystems cannot be addressed in silos.
By inviting researchers to test real products under controlled conditions, manufacturers gain early visibility into weaknesses that might otherwise remain hidden until exploited by criminals or nation-state actors.
Faster Protection Through Early Disclosure
One of the most compelling outcomes of Pwn2Own is the speed at which vulnerabilities are addressed. TrendAI reports that disclosures from the competition allow them to protect customers from zero-day exploits an average of 71 days earlier than the rest of the cybersecurity industry.
In an environment where attackers often move faster than defenders, this time advantage can be the difference between a contained vulnerability and a widespread security incident affecting millions of vehicles.
Leadership Perspective on Proactive Security
Rachel Jin, Chief Platform and Business Officer at TrendAI, emphasized the strategic importance of proactive research. According to Jin, proactive security is central to protecting both customers and the broader digital ecosystem. With connected assets becoming a permanent fixture of modern life, initiatives like Pwn2Own are critical to advancing threat research and strengthening collective defenses.
What Undercode Say:
The Pwn2Own Automotive results send a clear and somewhat uncomfortable message: the automotive industry is still catching up to the security realities of full connectivity. Vehicles now resemble distributed computing platforms more than traditional mechanical products, yet many development and security practices lag behind those used in mature IT environments.
From Undercode’s perspective, the sheer number of vulnerabilities disclosed—76 in a single event—highlights systemic issues rather than isolated mistakes. EV chargers, for example, sit at the intersection of vehicles, home networks, payment systems, and power grids. A compromise here is not just an automotive issue; it becomes an infrastructure risk.
The successful chaining of vulnerabilities is particularly concerning. Modern attackers rarely rely on a single flaw. Instead, they exploit sequences of weaknesses to bypass defenses and escalate privileges. The fact that researchers could demonstrate such chains in controlled conditions suggests that determined adversaries could do the same in real-world scenarios.
Another key takeaway is the expanding attack surface. NFC, USB, wireless protocols, and cloud APIs all represent potential entry points. As vehicles integrate more convenience features, the number of possible attack vectors grows accordingly. Security-by-design must therefore become a foundational principle, not an afterthought.
Undercode also sees Pwn2Own as evidence that transparency and collaboration work. Rather than hiding flaws, vendors that engage with the research community gain early warnings and actionable intelligence. This approach not only reduces risk but also builds long-term trust with consumers who increasingly care about digital safety as much as physical safety.
Finally, the event reinforces the idea that cybersecurity is now a core automotive competency. Manufacturers that fail to invest in robust security testing, rapid patching, and continuous monitoring risk falling behind—not just technologically, but reputationally.
Fact Checker Results:
✅ Pwn2Own Automotive Tokyo disclosed 76 zero-day vulnerabilities across vehicles and EV chargers.
✅ Over $1 million in prizes was awarded, confirming the scale and seriousness of the research.
❌ No evidence suggests these vulnerabilities were actively exploited before responsible disclosure.
Prediction:
🔮 Connected vehicles will soon be regulated under stricter cybersecurity frameworks similar to critical infrastructure.
🔮 EV chargers will become a primary focus for attackers due to their hybrid role in energy and mobility ecosystems.
🔮 Competitive hacking events like Pwn2Own will increasingly shape automotive security roadmaps.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.trendmicro.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
