Hackers Exploit 29 Zero-Days at Pwn2Own Automotive
▼ Summary
– On the second day of Pwn2Own Automotive 2026 in Tokyo, researchers earned $439,250 by exploiting 29 unique zero-day vulnerabilities in automotive technologies.
– The contest targets fully patched systems like EV chargers, in-vehicle infotainment units, and car operating systems such as Automotive Grade Linux.
– Fuzzware.io leads the leaderboard with $213,000, having earned $95,000 for hacking three specific EV charging station models.
– Individual researchers and teams, including Sina Kheirkhah and Rob Blakely with Hank Chen, were awarded $40,000 each for successful exploits on various devices.
– Vendors have 90 days to patch reported vulnerabilities before the Zero Day Initiative publicly discloses them, following the contest’s responsible disclosure policy.
The second day of the Pwn2Own Automotive 2026 hacking competition in Tokyo saw security experts earn nearly half a million dollars by uncovering critical vulnerabilities in modern vehicle systems. This high-stakes event, running alongside the Automotive World conference, challenges researchers to compromise fully updated electric vehicle chargers, infotainment units, and automotive operating systems. The substantial cash rewards highlight the escalating value and urgency of securing the technologies that power today’s connected cars.
Fuzzware.io emerged as the frontrunner after two days, amassing a total of $213,000. Their impressive haul included an additional $95,000 for successfully exploiting zero-day flaws in three separate EV charging stations: the Phoenix Contact CHARX SEC-3150 controller, the ChargePoint Home Flex, and the Grizzl-E Smart 40A model. Other notable successes included Sina Kheirkhah from the Summoning Team, who collected $40,000 for hacking a Kenwood navigation receiver and an Alpine multimedia system alongside another ChargePoint unit.
Researchers Rob Blakely and Hank Chen also each secured $40,000 awards. They demonstrated sophisticated exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station. With these latest discoveries, the total prize money awarded in the contest’s first 48 hours soared to $955,750, stemming from a remarkable 66 unique zero-day vulnerabilities.
The competition’s final day promises further action, with teams scheduled to target the Grizzl-E Smart 40A and Alpitronic HYC50 once more, alongside an attempt on an Autel MaxiCharger. These efforts follow a strong first day, where the Synacktiv Team earned $55,000. Their work involved a USB-based attack on the Tesla Infotainment System to gain root access and a separate exploit chain on a Sony digital media receiver.
This year’s event continues a trend of escalating discoveries and rewards. The 2025 contest concluded with $886,250 in prizes for 49 zero-days, while the 2024 edition awarded over $1.3 million for a similar number of flaws, including two successful hacks of a Tesla vehicle. A critical rule of Pwn2Own mandates that affected vendors have a 90-day window to develop and release patches for any reported vulnerabilities before the Zero Day Initiative publicly discloses the technical details, driving rapid improvements in automotive cybersecurity.
(Source: Bleeping Computer)