Pwn2Own Automotive Shows How Insecure Our Vehicles Are

The first day of the Pwn2Own Automotive hacking competition has kicked off in Tokyo, Japan, with “a record 73 entries” showing that our vehicles are juicier targets than ever.

Competitors attacked infotainment systems and charging stations for electric vehicles, earning a total of $516,500 and exploiting 37 vulnerabilities. Among the victims were Tesla’s infotainment system, hacked by Synacktiv Team, who chained two zero-day vulnerabilities together to hack it. The results of day one have been posted, complete with a leaderboard.

The contest takes place during the Automotive World exhibition, a show of the latest tech from auto manufacturers.

The contest, run by Zero Day Initiative, gives us a glimpse into just how vulnerable our vehicles are. Understandably, the focus is mainly on the infotainment system, but I was surprised to see multiple charging controllers also being hacked. You wouldn’t think the charging controller would be vulnerable but clearly that’s not the case.

The internal workings of a modern car are essentially a complex network of components talking to each other, all of which can be vulnerable to attack. The competition only focused on specific part of the vehicle, but imagine the damage that could be done if the competition was to hack a full car.

You don’t even necessarily need physical access to the car. A vulnerability in Subaru’s STARLINK system (no not that one) allowed attackers to take control of a vehicle remotely via an exposed and vulnerable admin panel.

An attacker could remotely start, stop, unlock, and retrieve the current or previous complete location history of any vehicle, read information from the instruments on the car such as sales history, odometer reading, and previous owners, as well as access personally identifiable information such as emergency contacts, physical address, billing information, and the vehicle PIN. All without needing any kind of complex chain of exploits or physical access like the contestants had.

A similar remote vulnerability was found by the same researchers in Kia’s system that would allow an attacker to remotely start/stop, geolocate the vehicle, and remotely lock/unlock it, and even access the cameras on certain models with nothing more than the license plate. The vehicle didn’t even need an active Kia Connect subscription.

Vulnerabilities in cars have shot up sharply since around 2019. Auto manufacturers have not caught up to the growing landscape of threats. The 2025 Pwn2Own competition ended with 49 vulnerabilities exploited, the same number as the previous year.

There are efforts to address the growing issue of cybersecurity in cars at least. ISO/SAE 21434 provides a standard of best cybersecurity practices for car manufacturers to adhere to. There is also work on implementing Secure Boot using Hardware Security Modules for cars, bringing improved security against malware persistence.

It seems to be too little, too late, however. We will have to wait and see if car manufacturers will start taking security seriously or just keep dumping more connected features into vehicles carelessly.