Pwn2Own Automotive 2025: Researchers Exploit 16 Zero-Days for $382,750 in Awards, (from page 20250209.)
External link
Keywords
- Pwn2Own Automotive
- security researchers
- zero-day bugs
- electric vehicle chargers
- cybersecurity competition
Themes
- Pwn2Own
- automotive hacking
- cybersecurity
- electric vehicles
- zero-day vulnerabilities
Other
- Category: technology
- Type: news
Summary
At the Pwn2Own Automotive 2025 competition, security researchers exploited 16 unique zero-days, earning a total of $382,750 in cash awards. Leading the competition is Fuzzware.io, which hacked electric vehicle chargers for $50,000 and 10 Master of Pwn points. Sina Kheirkhah from Summoning Team followed closely, earning $91,750 with a combination of vulnerabilities in Ubiquiti and other chargers. Synacktiv Team secured third place with a $57,500 award for exploiting a bug in the OCPP protocol. Other teams also successfully hacked various chargers and systems. The event, focusing on automotive technologies, is held in Tokyo from January 22 to 24, allowing researchers to target EV chargers and in-vehicle systems. After vulnerabilities are reported, vendors have 90 days to issue security patches before public disclosure.
Signals
| name |
description |
change |
10-year |
driving-force |
relevancy |
| Increase in Automotive Cybersecurity Competitions |
Growing number of competitions targeting automotive technologies and security vulnerabilities. |
Shift from traditional hacking competitions to focus on automotive-specific challenges. |
Increased emphasis on automotive cybersecurity may lead to stronger defenses and regulations in vehicle software. |
Rising concerns over cybersecurity threats in the automotive industry as vehicles become more connected. |
4 |
| Emerging Vulnerabilities in EV Charging Systems |
Security researchers are successfully exploiting vulnerabilities in electric vehicle chargers. |
Transition from low awareness of vulnerabilities in EV chargers to public acknowledgment of their risks. |
Widespread security measures and designs will be integrated into electric vehicle charging infrastructure. |
The rapid adoption of electric vehicles increases the focus on securing charging infrastructure. |
5 |
| Financial Incentives for Hacking |
Significant cash prizes offered for discovering vulnerabilities in automotive systems. |
Shift from minimal rewards to substantial monetary incentives for hacking automotive technologies. |
A robust community of security researchers focusing on automotive technologies due to lucrative rewards. |
Competition and monetary incentives drive innovation in discovering and resolving vulnerabilities. |
5 |
| Integration of Multiple Vulnerability Types |
Hackers are combining different vulnerabilities to exploit systems more effectively. |
From single vulnerability exploitation to multi-vulnerability strategies in attacks. |
More sophisticated hacking techniques will likely evolve, challenging existing security protocols. |
The complexity of automotive systems encourages attackers to find and exploit multiple weaknesses. |
4 |
| Short Patch Development Windows |
Vendors have only 90 days to patch vulnerabilities after they are reported. |
Shift from longer patch cycles to a more aggressive patching approach in the automotive sector. |
Increased urgency in vulnerability management may lead to more proactive security measures in automotive software. |
The high stakes of automotive cybersecurity push vendors to respond quickly to threats. |
4 |
Concerns
| name |
description |
relevancy |
| Vulnerability of Electric Vehicle Charging Infrastructure |
Exploiting numerous zero-day vulnerabilities in EV chargers raises concerns about the security of electric vehicle infrastructure. |
5 |
| Potential for Cyber Attacks on Automotive Systems |
Continuing discoveries of zero-day bugs in automotive technologies highlight the risk of cyber attacks on vehicles and related systems. |
4 |
| Delayed Security Patch Development |
Vendors have 90 days to release patches after vulnerabilities are reported, creating a window for exploitation. |
4 |
| Public Safety Risks |
Exploiting security flaws in automotive systems could lead to public safety hazards, including accidents or unauthorized control of vehicles. |
5 |
| Ethical Hacking and Responsibility |
As the competition encourages hacking, ethical concerns arise regarding the potential misuse of discovered vulnerabilities. |
3 |
| Impact on Electric Vehicle Adoption |
Security issues in EV infrastructure may influence consumer trust and adoption rates for electric vehicles. |
4 |
| Dependency on Third-Party Vendors for Security |
The reliance on third-party vendors for the security of automotive systems and chargers can create vulnerabilities. |
4 |
Behaviors
| name |
description |
relevancy |
| Zero-Day Exploitation Competitions |
Competitions focusing on exploiting zero-day vulnerabilities in automotive technologies, encouraging innovation and security research. |
5 |
| Monetization of Hacking Skills |
Researchers earning significant cash awards for successful hacks, highlighting a trend of monetizing cybersecurity expertise. |
4 |
| Collaboration Among Hackers |
Teams working together to exploit vulnerabilities, demonstrating a growing trend in collaborative cybersecurity efforts. |
4 |
| Focus on Electric Vehicle Security |
Increasing emphasis on the security of electric vehicle chargers and systems in hacking competitions. |
5 |
| Rapid Vulnerability Disclosure Cycle |
A 90-day timeline for vendors to patch reported vulnerabilities, reflecting a trend towards faster security responses. |
4 |
| Use of Advanced Hacking Techniques |
Application of sophisticated methods like buffer overflows and signal manipulation to exploit automotive systems. |
5 |
| Growing Interest in Automotive Cybersecurity |
Increasing participation and stakes in automotive hacking competitions, indicating a rise in cybersecurity focus within the automotive sector. |
5 |
Technologies
| description |
relevancy |
src |
| Exploiting previously unknown vulnerabilities in software, leading to enhanced security measures in technology. |
5 |
35a98c03faa3dacfeee9ea793e102b04 |
| Innovative charging solutions for electric vehicles, evolving with advancements in cybersecurity. |
4 |
35a98c03faa3dacfeee9ea793e102b04 |
| Integrated multimedia systems in vehicles, increasingly targeted for security vulnerabilities. |
4 |
35a98c03faa3dacfeee9ea793e102b04 |
| Specialized operating systems for vehicles, including Automotive Grade Linux and Android Automotive OS, critical for vehicle functionality. |
5 |
35a98c03faa3dacfeee9ea793e102b04 |
| Techniques used to exploit vulnerabilities in communication protocols, particularly in EV chargers. |
4 |
35a98c03faa3dacfeee9ea793e102b04 |
| Innovations in managing cryptographic keys to enhance security against hacking attempts. |
4 |
35a98c03faa3dacfeee9ea793e102b04 |
Issues
| name |
description |
relevancy |
| Zero-Day Vulnerabilities in Automotive Technology |
The rise of zero-day exploits targeting automotive systems highlights vulnerabilities in modern vehicle technology. |
5 |
| Security in Electric Vehicle Infrastructure |
Hacking competitions expose flaws in EV chargers, emphasizing the need for robust security in electric vehicle infrastructure. |
4 |
| Regulatory Response to Cybersecurity Threats |
The 90-day patch requirement after zero-day exploitation may prompt future regulatory frameworks for automotive cybersecurity. |
3 |
| Impact of Hacking Competitions on Security Practices |
Competitions like Pwn2Own influence industry practices and focus on uncovering vulnerabilities in automotive technologies. |
4 |
| Emerging Threats to In-Vehicle Infotainment Systems |
Increasing attacks on IVI systems signal a growing threat landscape for in-car technology and passenger data security. |
4 |
| Integration of Advanced Technologies in Vehicles |
Adoption of complex operating systems like Automotive Grade Linux raises concerns over vulnerabilities and security management. |
3 |