Automotive Cybersecurity Under Scrutiny: Hackers Expose Vulnerabilities at Pwn2Own Automotive 2026
The evolving landscape of automotive technology, increasingly reliant on software and network connectivity, is facing heightened cybersecurity scrutiny. This past week, the third annual Pwn2Own Automotive competition in Tokyo underscored the real and growing threats facing modern vehicles and the infrastructure that supports them. A record 73 entries were submitted, demonstrating a surge in researcher interest and a corresponding increase in identified vulnerabilities. The event, sponsored by Trend Micro’s Zero Day Initiative (ZDI), resulted in over $1 million in bug bounties awarded to researchers who successfully exploited systems from leading automotive manufacturers and charging network providers.
the Pwn2Own Automotive competition operates under a strict disclosure policy. All discovered vulnerabilities are reported directly to the affected vendors through ZDI, with public disclosure intentionally delayed to allow manufacturers time to develop and deploy security patches. This responsible disclosure model is crucial in mitigating risks before they can be exploited by malicious actors.
Infotainment Systems targeted, Tesla Hacked via USB
Infotainment platforms proved to be a primary target for researchers. Systems from Tesla,Sony,and Alpine were all compromised during the demonstrations. Exploitation techniques ranged from classic buffer overflows and facts leaks to more elegant logic flaws. Notably, a Tesla infotainment unit was successfully hacked via a USB-based attack, granting researchers root-level access to the system. This highlights the potential dangers of connecting untrusted devices to a vehicle’s infotainment system.
“The ability to gain root access to a vehicle’s infotainment system is a notable concern,” explains automotive cybersecurity expert Scott Nelson, founder of Digital Motorworks. “while seemingly limited to entertainment and navigation functions, these systems are increasingly integrated with critical vehicle controls. A compromised infotainment system could perhaps be a stepping stone to more sensitive areas of the vehicle’s network.”
The vulnerabilities discovered aren’t limited to the vehicle itself. Electric vehicle (EV) charging infrastructure also came under intense scrutiny, revealing weaknesses in chargers from Autel, Phoenix contact, ChargePoint, Grizzl-E, Alpitronic, and EMPORIA.Researchers demonstrated the ability to manipulate charging behavior and even execute code on the charging devices themselves by chaining together multiple vulnerabilities. This underscores the fact that charging stations are essentially network-connected computers with direct communication lines to vehicles, making them attractive targets for attackers.
Doom on a Charger: Exploiting TOCTOU Bugs in EV Infrastructure
One particularly striking exhibition involved exploiting a “Time-of-Check to Time-of-Use” (TOCTOU) bug in an Alpitronic HYC50 fast-charging station. This classic vulnerability occurs when a system checks a condition, and then, before acting on that condition, the state changes. Researchers leveraged this flaw to install and run a playable version of Doom on the charging station,
