Trend Micro’s Zero Day Initiative (ZDI) has announced the final results of the Pwn2Own Automotive security contest, awarding nearly $900,000 in prizes for 49 zero-day vulnerabilities discovered in devices from Tesla, Kenwood, Alpine, Sony, Ubiquiti, and others.
“Pwn2Own Automotive 2025 is complete,” ZDI’s Dustin Childs announced at the close of the third day of the competition, held at Automotive World in Tokyo. “In total, we awarded $886,250 for 49 zero-days over the three day competition. Thanks to all of the researchers and vendors who attended. Without their hard work and dedication, none of this would be possible.”
ZDI’s Pwn2Own Automotive is back, with competitors unveiling 49 valid zero-day attacks on in-car and charging systems. (📷: Synacktiv/ZDI)
Pwn2Own shot to fame by not only offering cash prizes for competitors able to demonstrate previously-unknown security vulnerabilities in popular consumer products but in giving them the “pwned” hardware too — hence “pwn to own.” In September last year ZDI and VicOne announced that the competition, which sees the technical details of each vulnerability provided solely to ZDI for responsible disclosure to affected vendors, was to branch out into the automotive sector — and last year’s inaugural Pwn2Own Automotive saw the discovery of almost 50 vulnerabilities and the payout of over $1 million in prizes.
If you had hoped automotive companies may have learned from last year’s showing, though, you’d be disappointed — particularly with Alpine, whose in-car entertainment system was shown to still be vulnerable to flaws discovered during Pwn2Own Automotive 2024 which the company has declined to fix. While no vehicles themselves were the focus of attacks this time around, competitors also demonstrated vulnerabilities in in-car entertainment systems and electric vehicle charging systems from Alpine, Autel, Automotive Grade Linux, ChargePoint, Kenwood, Phoenix Contact, Sony, Tesla, Ubiquiti, and WOLFBOX.
In total, ZDI handed out nearly $900,000 in prizes — including some to hacks using vulnerabilities not yet patched after last year’s contest. (📷: ZDI)
“In total,” Childs concludes of the competition’s results, “we awarded $886,250 for 49 zero-days over the three day competition. With 30.5 points and $222,250 awarded, Sina Kheirkhah of Summoning Team is our Master of Pwn.” Second-place was taken by team Synacktiv with $147,500 and 21.5 points, with the remaining top five made up of PHP Hooligans with $110,000 and 12 points, fuzzware.io with $68,750 and 12 points, and Viettel Cyber Security with $53,750 and 8.75 points.
More information about each of the vulnerabilities is available on the ZDI blog — though, in keeping with its goal of responsible disclosure, technical details are not included.
Main article image courtesy of PHP Hooligans/ZDI.
