Security researchers uncovered 16 previously unknown vulnerabilities in automotive systems on the opening day of Pwn2Own Automotive 2025 in Tokyo, earning a total of $382,750 in rewards.
The competition, organized by Trend Micro's Zero Day Initiative (ZDI), focused on exposing security weaknesses in infotainment systems, EV chargers, and automotive operating systems.
Several teams demonstrated successful exploits of charging infrastructure. The Summoning Team's Sina Kheirkhah earned $50,000 by exposing a hard-coded cryptographic key vulnerability in a Ubiquiti charger. The PHP Hooligans matched this reward by discovering a heap-based buffer overflow in an Autel charging system.
The fuzzware.io team, comprising Tobias Scharnowski, Felix Buchmann, and Kristian Covic, secured $50,000 and earned 10 points in the Master of Pwn rankings.
In another notable achievement, the Synacktiv team successfully manipulated charging signals through a ChargePoint connector by combining multiple vulnerabilities, earning $47,500.
The Technical Debt Collectors team targeted Automotive Grade Linux, demonstrating multiple security flaws that netted them $33,500 despite using one previously known vulnerability in their exploit chain.
Interestingly, while organizers offered a substantial $500,000 bounty for successfully compromising Tesla's autopilot system, no participants attempted this challenge during the first day.
The competition highlights growing security concerns in the automotive industry as vehicles become increasingly connected and dependent on complex software systems.