Sign in Subscribe
Technology Advancements

Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Tesla Pwn2Own 2025 Hacking Event and Vulnerabilities

The Pwn2Own Automotive 2025 hacking contest, held in Tokyo, Japan, from January 22 to January 24, has revealed significant vulnerabilities in various automotive technologies, including Tesla's Wall Connector electric vehicle charger.

Tesla Wall Connector Vulnerabilities

On the second day of the competition, security researchers successfully hacked Tesla's Wall Connector electric vehicle charger twice:

  • PHP Hooligans were the first to exploit the Tesla Wall Connector using a "Numeric Range Comparison Without Minimum Check" zero-day bug, allowing them to take control of the device1.
  • Synacktiv followed by hacking the Tesla EV charger via the Charging Connector, a method that had never been demonstrated publicly before1.

Additionally, two bug collisions occurred during attempts to hack the Tesla Wall Connector by PCAutomotive and Sina Kheirkhah of the Summoning Team, who used an exploit chain of two already-known bugs1.

Overall Competition Results

Here are the key highlights from the Pwn2Own Automotive 2025 competition:

Day 1 Results

  • Participants earned a total of $382,750 for exploiting 16 unique zero-day vulnerabilities in infotainment systems, electric vehicle (EV) chargers, and automotive operating systems.
  • Significant rewards included $50,000 each for exploits targeting Autel and Ubiquiti EV chargers, $41,750 for a Phoenix Contact charging controller exploit, and $47,500 for a ChargePoint charger exploit25.

Day 2 Results

  • Security researchers exploited 23 more zero-day vulnerabilities, earning $335,500 in cash rewards.
  • Vulnerabilities were found in WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA EV chargers, as well as in the Alpine iLX-507, Kenwood DMX958XR, and Sony XAV-AX8500 In-Vehicle Infotainment (IVI) systems1.

General Observations

  • The competition focused on automotive technologies, including car operating systems (Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX), EV chargers, and IVI systems.
  • Despite Tesla providing a Model 3/Y (Ryzen-based) equivalent benchtop unit, no security researcher attempted to hack it during the competition12.

Post-Competition Actions

  • Vendors have 90 days to develop and release security fixes for the exploited vulnerabilities before Trend Micro's Zero Day Initiative (ZDI) publicly discloses the zero-day bugs12.

Historical Context

  • Last year's Pwn2Own Automotive in Tokyo saw security researchers earn $1,323,750 for hacking a Tesla twice and exploiting 49 zero-day bugs in multiple electric car systems1.

Read next