The results of the three-day Pwn2Own Automotive 2026 competition, held at the Automotive World conference in Tokyo, have been announced. The competition showcased 66 previously unknown zero-day vulnerabilities in automotive infotainment platforms, operating systems, and electric vehicle charging devices. The attacks utilized the latest firmware and operating systems with all available updates and in their default configurations.
The total amount of rewards paid out was $955. The most successful team, Fuzzware.io, earned $213. Second place (Team DDOS) received $95, and third place (Synacktiv) received $85.
The following attacks were demonstrated during the competition:
- Hacking the Automotive Grade distribution environment Linux ($4000 for exploiting a chain of three vulnerabilities involving out-of-bounds reads, memory exhaustion, and buffer overflows).
- 12 hacks of the Alpine iLX-511 infotainment system ($20000, 2 x $10000 and $5000 for exploiting vulnerabilities leading to buffer overflows; $10000, 2 x $5000 and 4 x $2500 for a vulnerability allowing access to a dangerous method; $10000 for a vulnerability leading to command substitution).
- 12 hacks of the Kenwood DNR1007XR infotainment system ($20000 and $10000 for buffer overflow vulnerabilities; $8000 for an exploit that leveraged a previously known but unpatched hardcoded credentials issue, combined with incorrect access rights to a critical resource and a command substitution vulnerability; $4000 for an exploit that leveraged previously known but unpatched race conditions and incorrect access rights; $8000 and 3 x $2500 for exploiting a known vulnerability that remains unpatched; $8000 for exploiting a chain of 3 vulnerabilities - hardcoded credentials, incorrect access rights and no symbolic link checking; $6000, $5000 and $4000 for vulnerabilities leading to command substitution).
- 4 hacks for the Sony XAV-9500ES infotainment system ($20000 for an exploit that uses a chain of three bugs; 3 for $10000 for exploiting a buffer overrun).
- Tesla car infotainment system hacked via USB ($35000 for information leak and buffer overflow exploit).
- 10 Grizzl-E Smart 40A Charging Station hacks ($40000 for hard-coded credentials and missing boot code integrity checks; $25000 and $10000 for authentication bypass; $10000 for buffer overflow; $22500, $20000, 3 x $15000, and $5000 for exploits using 3- or 2-error chains).
- 7 hacks of Phoenix Contact CHARX SEC-3150 charging station ($50000 for command substitution and race condition exploit; $50000, $20000, $19250, and $6750 for exploits using chains of 3, 5, and 6 errors; $20000 for exploitation of vulnerabilities that allowed bypassing authentication and escalating privileges; $15000 for exploit using chain of 3 errors).
- 4 hacks of the Autel MaxiCharger AC Elite Home 40A charging station ($50000, $20000, and $10000 for vulnerabilities that allowed bypassing authentication and digital signature verification; $30000 for a vulnerability leading to a buffer overflow).
- 4 ChargePoint Home Flex CPH50-K charging station hacks ($40000, 2 x $30000, and $16750 for command substitution and symbolic link handling vulnerabilities).
- 4 Alpitronic HYC50 charging station hacks ($60000 for buffer overflow exploit; $40000 for dangerous method exploit; $20000 for race condition exploit; $20000)
In addition to the aforementioned successful attacks, nine attempts to exploit the vulnerabilities failed, in all cases because the teams failed to complete the attack within the allotted time. The unsuccessful attempts included hacking the Kenwood DNR1007XR, Alpine iLX-F511, Autel MaxiCharger AC Elite Home 40A, EMPORIA Pro Charger Level 2, ChargePoint Home Flex, Sony XAV-9500ES, and Grizzl-E Smart 40A.
In accordance with the terms of the competition, detailed information about all demonstrated 0-day vulnerabilities will be published only after 90 days, which are given to the manufacturers to prepare updates that eliminate vulnerabilities.
Source: opennet.ru
