TOKYO – In a stark demonstration of the burgeoning security risks facing the automotive industry, a global cohort of elite ethical hackers converged here to dismantle the digital defenses of some of the most advanced vehicles and charging systems on the market. Over three days at the Pwn2Own Automotive 2024 competition, researchers exposed dozens of previously unknown “zero-day” vulnerabilities, earning a staggering $1,323,750 in prize money for successfully compromising systems from Tesla, ChargePoint, and others. The event, organized by Trend Micro’s Zero Day Initiative (ZDI), serves as a critical, if unsettling, barometer of the industry’s cybersecurity posture.

The competition underscored a fundamental shift in automotive design: modern vehicles are no longer just mechanical conveyances but complex, rolling data centers teeming with software, sensors, and wireless connections. This digital transformation has created an unprecedented attack surface, and the results from Tokyo suggest that manufacturers are struggling to keep pace with the threats. Researchers successfully demonstrated exploits against in-vehicle infotainment (IVI) systems, modems, and, for the first time in this competition’s history, Electric Vehicle (EV) chargers, revealing pathways that could potentially allow malicious actors to access sensitive data or manipulate vehicle functions.

Synacktiv Team Dominates with Sophisticated Tesla Exploits

The undisputed champion of the event was the French security research team from Synacktiv, who walked away with $530,000 in earnings and the coveted “Master of Pwn” title. Their most remarkable achievement was a series of intricate hacks against a Tesla Model 3, a vehicle often lauded for its robust security architecture. In one demonstration, the team executed a three-bug chain against the Tesla infotainment system, leveraging three distinct vulnerabilities in sequence to achieve “root” access, the highest level of system control. This feat alone earned them a $200,000 payout and a brand-new Tesla Model 3, the grand prize for the IVI category.

The complexity of such an attack highlights the sophisticated methods required to breach modern automotive systems. According to a detailed event summary from Trend Micro’s Zero Day Initiative, Synacktiv’s researchers also successfully compromised the vehicle’s modem by chaining two separate flaws. This allowed them to gain control over a key communications component, a troubling prospect given the modem’s role in connecting the vehicle to external networks. These were not simple, single-shot exploits but carefully orchestrated campaigns that bypassed multiple layers of security, demonstrating a deep understanding of the vehicle’s internal workings.

EV Charging Infrastructure Emerges as a Critical New Cyber Front

Perhaps the most significant development at this year’s competition was the intense focus on Electric Vehicle Supply Equipment (EVSE), commonly known as EV chargers. As the backbone of the electric mobility transition, the security of this infrastructure is paramount, and researchers proved it is far from impenetrable. The Synacktiv team again took the lead, earning $60,000 for a two-bug chain exploit against the ChargePoint Home Flex, one of the most popular home charging stations in North America. By compromising the charger, they gained root-level remote code execution, a level of access that could theoretically be used to disrupt charging, steal user data, or potentially impact the electrical grid if scaled across many devices.

The NCC Group EDG team also found success in this category, compromising the JuiceBox 40 smart charging station. The vulnerabilities in these widely deployed chargers represent a systemic risk that extends beyond a single vehicle. As reported by BleepingComputer, the ability to remotely control these devices opens up a new vector for large-scale attacks. The successful exploits serve as a crucial warning to an industry rapidly deploying this technology, emphasizing the need for rigorous security standards not just in the cars themselves, but in the entire ecosystem that supports them.

The Mechanics of the Breach: From Bluetooth to CAN Bus

The technical details of the exploits reveal common weak points in automotive technology. Multiple teams targeted infotainment systems through their most accessible interfaces, such as Bluetooth and Wi-Fi. The Midnight Blue team, for example, earned $60,000 by using a two-bug chain to compromise the infotainment system on the Sony Afeela, a vehicle from the joint venture between Sony and Honda. Their attack vector was Bluetooth, which then allowed them to pivot and gain control of the system.

A critical goal for many researchers was to move beyond the sandboxed environment of the infotainment unit and gain access to more critical vehicle systems, such as the Controller Area Network (CAN) bus, which manages core functions like steering, braking, and engine control. While no team demonstrated a full remote compromise of driving functions, Synacktiv did succeed in sending arbitrary CAN messages on the Tesla after their initial breach. This is a significant step, proving that a bridge from the entertainment system to the vehicle’s operational network is possible, a scenario that security experts have long warned about and that publications like The Register have highlighted as a primary concern for the industry.

A Collaborative Model for a More Secure Future

Despite the alarming nature of the successful hacks, the Pwn2Own event is fundamentally a collaborative effort designed to strengthen, not undermine, automotive security. The Zero Day Initiative operates on a principle of coordinated disclosure. Before the competition, vendors like Tesla, ChargePoint, and Alpine provide their latest hardware and software for the researchers to target. Once a vulnerability is successfully demonstrated, ZDI privately discloses the full technical details to the affected vendor, giving them a 90-day window to develop and deploy a patch before any information about the exploit is made public.

This model creates a powerful incentive structure. Researchers are financially rewarded for their time and expertise, while manufacturers receive invaluable, real-world penetration testing from some of the best security minds in the world. This proactive approach helps ensure that critical vulnerabilities are fixed before they can be discovered and exploited by malicious actors. The substantial payouts, funded in part by sponsors like Tesla, reflect the high value that these companies place on identifying and remediating security flaws in a controlled environment, rather than learning about them from a widespread, damaging attack in the wild.

The Road Ahead: Autonomy, Connectivity, and Compounding Risk

The results from Pwn2Own Automotive 2024 are a clear signal that the industry’s digital arms race is escalating. As vehicles incorporate more sophisticated features like Vehicle-to-Everything (V2X) communication, autonomous driving capabilities, and third-party app stores, the potential for catastrophic cyber-attacks grows. Each new feature adds layers of code and connectivity, which inevitably introduces new potential vulnerabilities. The challenge for automakers is to integrate these cutting-edge technologies without compromising the safety and security of the vehicle and its occupants.

The competition has firmly established that no single component can be overlooked, from the modem and infotainment system to the charging stations that power the fleet. The industry must move towards a more holistic security model, embedding cybersecurity principles throughout the entire design, development, and post-deployment lifecycle of a vehicle. For consumers and fleet operators, the event is a sobering reminder that a car’s security is no longer just about locks and alarms, but about the resilience of the millions of lines of code that now control nearly every aspect of its operation.