Following the success of its inaugural edition, which uncovered 49 unique zero-day vulnerabilities, Pwn2Own Automotive — the automotive-focused variant of the well-known Pwn2Own series of ethical hacking competitions — is set to return for its second year. We’re thrilled to announce that Pwn2Own Automotive 2025 is a go: It will be held at the Automotive World conference in Tokyo, Japan, happening from Jan. 22 to 24.
Rules and registration
As with the first go-around, VicOne will co-host this automotive-focused ethical hacking competition with Trend Micro’s Zero Day Initiative (ZDI), the world’s largest vendor-agnostic bug bounty program. Over US$1 million in cash and prizes will also be up grabs for participating security researchers at Pwn2Own Automotive 2025, including the much-coveted Master of Pwn title.
Like other Pwn2Own contests, Pwn2Own Automotive awards the Master of Pwn title to the overall winner, that is, the participant with the most points by the end of the competition. Points are earned for successful exploit attempts, with the first demonstration in each category winning the cash prize. Since the order of attempts is determined via random draw, competitors with later slots can still secure the title, even if they receive a smaller cash payout. Penalties apply for withdrawing from registered attempts, and points are deducted if contestants remove add-on bonuses during their attempts.
The complete set of rules for Pwn2Own Automotive 2025 can be found here. Note that these rules may be changed at any time without prior notice. Participants are also encouraged to read the ZDI’s guide to Pwn2Own, which details the expectations in participating in a Pwn2Own event.
To begin the registration process for Pwn2Own Automotive 2025, contact the ZDI at pwn2own@trendmicro.com. Registration closes on Jan. 16, 2025, at 5:00 p.m. JST.
Categories and targets
Aside from returning as the title sponsor, Tesla will also feature its wall charger as one of the targets in the electric vehicle (EV) chargers category, a segment that accounted for most of the vulnerabilities discovered at Pwn2Own Automotive 2024.
The following are the four categories and their respective targets for Pwn2Own Automotive 2025.
Tesla
Exploiting a Tesla, not only once but twice, helped Synacktiv nab the Master of Pwn title at Pwn2Own Automotive 2024. Tesla is still the only category with targets worth double-digit Master of Pwn points. For example, if a participant decides to hack Tesla’s Autopilot feature, they could rake in at least 20 points — and potentially a ride home.
Here are the targets for Tesla:
- Tuner
- Infotainment
- Modem
- VCSEC (via CAN bus)
- Gateway (via diagnostic/infotainment Ethernet)
- Any Tesla ECU
- Autopilot
Participants aiming to exploit a Tesla must launch their attacks on a Tesla Model 3/Y (Ryzen-based) or an equivalent bench-top unit. They are also required to inform the ZDI at least two weeks before the contest to allow organizers enough time to source the necessary hardware.
In-vehicle infotainment (IVI) systems
Today’s in-vehicle infotainment (IVI) systems offer not only entertainment but also navigational assistance and other features that enhance the overall driving experience — expanding the vehicle’s attack surface along the way.
Pwn2Own Automotive 2025 will include more targets and newer IVI models. Participants attempting to exploit these systems must attack the exposed services, communication protocols, or physical interfaces accessible to a typical user.
Here are the targets for IVI systems:
- Sony XAV-AX8500
- Alpine iLX-507
- Pioneer DMH-WT7600NEX
- Kenwood DMX958XR
Electric vehicle (EV) chargers
With every charger successfully hacked at least once, the EV chargers category was the clear runaway hit at Pwn2Own Automotive 2024 — highlighting the need for more stringent, even basic, cybersecurity protection for these devices.
As in the IVI systems category, an attempt in the EV chargers category must also be launched against a target’s exposed services, communication protocols, or physical interfaces accessible to a typical user.
Here are the targets for EV chargers:
- ChargePoint Home Flex (Model CPH50)
- Phoenix Contact CHARX SEC-3150
- WOLFBOX Level 2 EV Charger
- EMPORIA EV Charger Level 2
- Tesla Wall Connector
- Autel MaxiCharger AC Wallbox Commercial (MAXI US AC W12-L-4G)
- Ubiquiti Connect EV Station
Operating systems
A vehicle’s operating system (OS) manages the vehicle’s hardware and software resources, supporting both its critical and noncritical functions. Needless to say, any security gaps and vulnerabilities within a vehicle’s OS must be uncovered and addressed early on.
Pwn2Own Automotive 2024 saw the Automotive Grade Linux compromised. Will we see the other targets finally exploited at Pwn2Own Automotive 2025?
Here are the targets for operating systems:
- Automotive Grade Linux
- BlackBerry QNX
- Android Automotive OS
VicOne’s commitment to automotive zero-day vulnerability discovery
As the leader in automotive threat intelligence, VicOne is committed to addressing the evolving automotive ecosystem and its extensive attack surface. VicOne looks forward then to what the participating security researchers will uncover at the next Pwn2Own Automotive competition.
From rickrolling an EV charger to executing multiple multi-bug chains, security researchers continue to demonstrate their outstanding capabilities in discovering zero-day vulnerabilities. In doing so, they play a significant role in advancing automotive technologies and securing connected vehicles amid an ever-evolving threat landscape.
For more details on the rules and targets for Pwn2Own Automotive 2025, read the ZDI’s blog post.
For further updates on Pwn2Own Automotive 2025, visit the official event page and follow the social media accounts and blog posts from VicOne (LinkedIn, X, blog) and the ZDI (LinkedIn, X, blog).
