Pwn2Own Automotive 2025, held in Tokyo, showcased remarkable cybersecurity exploits on its third and final day. The event saw a total prize payout of $886,250 awarded for the discovery of 49 unique zero-day vulnerabilities across various automotive technologies, including in-car entertainment systems and EV chargers. Here are the highlights:
Key Exploits and Performances
Sina Kheirkhah (Summoning Team)
- Achievements: Sina Kheirkhah was crowned the Master of Pwn for 2025, earning an impressive $222,250 and amassing 30.5 Pwn points.
- Details: Kheirkhah demonstrated exceptional skill and persistence, discovering a total of 14 unique zero-day vulnerabilities. His exploits included targeting the ChargePoint Home Flex EV charger and other critical automotive components, showcasing his deep understanding of automotive security.
Synacktiv
- Achievements: The French team Synacktiv secured second place with a total earning of $147,500.
- Exploits: Synacktiv used a single buffer overflow to exploit the Autel MaxiCharger and demonstrated signals being transmitted via its charging connector. Their innovative approach highlighted the potential security risks associated with EV chargers.
PHP Hooligans
- Achievements: The PHP Hooligans team took third place, earning a total of $110,000.
- Exploits: Their notable exploit involved targeting the Kenwood DMX958XR in-vehicle infotainment system, showcasing vulnerabilities that could be leveraged for remote code execution. Their efforts emphasized the importance of securing in-vehicle infotainment systems.
Fuzzware.io
- Achievements: The team fuzzware.io received $68,750 for their exploits.
- Exploits: Fuzzware.io demonstrated their prowess by exploiting the WolfBox EV charger with a two-bug chain that featured an uninitialized variable. Their work underscored the need for rigorous security testing of EV chargers.
Viettel Cyber Security
- Achievements: Viettel Cyber Security earned $53,750 for their efforts.
- Exploits: The team successfully targeted multiple automotive components, including the ChargePoint Home Flex EV charger. Their exploits highlighted the potential vulnerabilities in widely used automotive technologies.
Bongeun Koo (STEALIEN Inc.)
- Achievements: Bongeun Koo from STEALIEN Inc. showcased a creative and engaging exploit by hacking the Ubiquiti Connect EV Station charger using a three-bug chain and displaying the iconic Nyan Cat on the device.
- Impact: This innovative demonstration not only highlighted a critical vulnerability but also captured the audience’s attention with its visual appeal.
Noteworthy Attempts
- Team Confused: Targeted the Alpine iLX-507 in-vehicle infotainment system.
- Other Exploits: Several other teams made significant attempts, contributing to the discovery of additional zero-day vulnerabilities and highlighting the diverse range of security challenges in the automotive sector.
Overall Impact
The event’s total prize payout of $886,250 reflects the high stakes and the exceptional talent of the participating security researchers. The discovery of 49 unique zero-day vulnerabilities across various automotive technologies emphasizes the ongoing need for robust security measures in software-defined vehicles (SDVs). The creative and innovative exploits demonstrated by the participants highlighted the potential risks and the importance of securing automotive systems against cyber threats.
