Security researchers at the Pwn2Own Automotive competition demonstrated a rapid compromise of a Tesla infotainment system, underscoring the continued pressure on connected car defenses. The successful exploit chain, executed by the Synacktiv team, earned a $35,000 award and renewed debate over how effectively automakers segment in-car entertainment from safety-critical vehicle controls.
What Researchers Demonstrated in the Tesla Hack
Synacktiv linked multiple zero-day bugs to break into Tesla’s infotainment stack via a USB-based attack path, according to disclosures at the event run by the Zero Day Initiative. The group strung together vulnerabilities to achieve code execution, a technique that mirrors real-world intrusions where chained flaws defeat layered defenses.
Organizers emphasized that Pwn2Own tests are conducted under controlled conditions and that results are shared privately with affected vendors to facilitate patches. The demonstration targeted the entertainment interface rather than drive systems, but it still matters: in-vehicle infotainment sits at the center of a complex web of apps, connectivity, and peripherals, and it often acts as a launch point for lateral movement if other protections fail.
Synacktiv also secured root-level access on a Sony XAV-9500ES digital media receiver, netting an additional $20,000. The breadth of targets reinforces a key theme in automotive security: risk extends beyond the carmaker to third-party head units, chargers, and connectors that share the vehicle ecosystem.
Prize Totals Signal a Competitive Field in Tokyo
The third annual Pwn2Own Automotive event in Tokyo drew 73 competing teams, with researchers surpassing $500,000 in awards within the first day, as reported by industry outlets tracking the contest. Fuzzware.io led the early leaderboard with $118,000, including a $50,000 prize for compromising an Autel MaxiCharger.
Other teams successfully targeted a Phoenix Contact charging connector and a Grizzl-E Smart charger, illustrating how the attack surface now straddles vehicles, home charging gear, and public infrastructure. Tesla models remain a marquee target given their scale and the company’s history of frequent over-the-air updates and bug bounties, but the results show attackers probing every link in the chain.
Total payouts offer a useful, if imperfect, proxy for the difficulty of finding impactful flaws. The first Pwn2Own Automotive awarded roughly $1.3 million, followed by $886,000 the next year. This year’s event has distributed about $516,500 so far. Lower cumulative awards can indicate harder-to-find bugs, tighter categories, or simply fewer successful entries; it is not yet a definitive signal that vehicles are broadly more secure.
Coordinated Disclosure and Patch Timelines Explained
Under Zero Day Initiative rules, vendors have a 90-day window to deliver fixes before technical details are released publicly. With 37 zero-day flaws being showcased, engineering teams across the automotive stack now face a sprint to patch and validate updates. This model has historically accelerated remediation by providing clear timelines and centralized reporting while avoiding immediate exposure of exploit code.
For Tesla owners, the coordinated disclosure process dovetails with the company’s rapid OTA cadence. In practice, that means a patched build can arrive without dealership visits, reducing the window of exposure once a fix has been validated. Other suppliers, particularly in charging infrastructure, may require firmware updates through installers or app-based notifications.
What This Means for Drivers and Owners Right Now
There is no evidence from the event of drive system compromise; this was an infotainment-focused intrusion.
Still, basic hygiene applies:
- Install updates as soon as they are available.
- Avoid plugging unknown USB devices into vehicle ports.
- Monitor manufacturer advisories.
- Owners using aftermarket head units or third-party charging gear should check for firmware updates from the respective vendors.
The bigger takeaway is that the car is now part of a broader digital ecosystem. Security depends on how well each component—from the dashboard software to the charger on the garage wall—is hardened, monitored, and kept current. Events like Pwn2Own continue to uncover where those seams exist, giving vendors a roadmap to close them before attackers in the wild do the same.