Pwn2Own Automotive 2025 – Day 1 and 2 Highlights

Pwn2Own Automotive 2025 – Day 1 and 2 Highlights

No Comments

The first two days of Pwn2Own Automotive 2025 in Tokyo have been filled with intense competition and impressive cybersecurity exploits. Here’s a detailed summary of the events:

Day 1 Highlights

  • Fuzzware.io: Exploited vulnerabilities in the Autel MaxiCharger and Phoenix Contact CHARX SEC-3150 EV chargers, earning $50,000 and 10 Master of Pwn points.
  • Sina Kheirkhah (Summoning Team): Exploited the Ubiquiti and Phoenix Contact CHARX SEC-3150 EV chargers, earning $91,750 and 9.25 Master of Pwn points.
  • Synacktiv Team: Demonstrated a bug in the OCPP protocol to hack the ChargePoint Home Flex (Model CPH50), securing $57,500.
  • PHP Hooligans: Successfully hacked a fully patched Autel charger using a heap-based buffer overflow, earning $50,000.
  • Viettel Cyber Security: Collected $20,000 after obtaining code execution on the Kenwood In-Vehicle Infotainment (IVI) using an OS command injection zero-day.

Day 2 Highlights

  • PHP Hooligans: Exploited the Tesla Wall Connector using a numeric range comparison without minimum check (CWE-839) vulnerability, earning $50,000.
  • PCAutomotive: Successfully exploited the Tesla Wall Connector, but the vulnerability had been previously disclosed, earning $10,000.
  • Viettel Cyber Security: Targeted the ChargePoint Home Flex EV charger, earning $20,000 and 2 Master of Pwn points.
  • Sina Kheirkhah (Summoning Team): Exploited the WOLFBOX Level 2 EV Charger, earning $50,000 and 5 Master of Pwn points.
  • Synacktiv Team: Exploited the Tesla Wall Connector with the Charging Connector Protocol/Signal Manipulation add-on, earning $60,000 and 6 Master of Pwn points.

Overall Impact

  • Total Exploits: 39 unique zero-day vulnerabilities discovered across both days.
  • Total Prize Money: $382,750 awarded to participants.
  • Master of Pwn Points: Fuzzware.io leads with 15 points, followed closely by Sina Kheirkhah with 14.25 points.

The competition continues for one more day, with participants targeting additional electric vehicle (EV) chargers, in-vehicle infotainment (IVI) systems, and car operating systems. The stakes remain high, and the competition is fierce!

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.