The Cyber Arms Race: Hackers vs. Automotive Security
In a high-stakes battle of wits, the second day of Pwn2Own Automotive 2026 saw security researchers take home a whopping $439,250 in cash prizes. But here's where it gets controversial: they did it by exploiting 29 unique zero-day vulnerabilities.
Pwn2Own Automotive is an intense hacking contest focused on automotive technologies. This year's event, held in Tokyo, Japan, from January 21-23, during the Automotive World conference, has security researchers targeting fully patched electric vehicle (EV) chargers, in-vehicle infotainment systems, and car operating systems like Automotive Grade Linux.
Fuzzware.io is currently leading the pack, having earned $213,000 in the first two days alone. They've demonstrated their skills by hacking the Phoenix Contact CHARX SEC-3150 charging controller, the ChargePoint Home Flex EV charger, and the Grizzl-E Smart 40A EV charging station, raking in an additional $95,000.
Sina Kheirkhah of Summoning Team and Rob Blakely of Technical Debt Collectors, along with Hank Chen of InnoEdge Labs, also made significant strides, each earning $40,000 for their successful demonstrations of zero-day exploit chains targeting Automotive Grade Linux and the Alpitronic HYC50 charging station.
After just two days, security researchers have collectively earned $955,750 in cash awards by exploiting 66 zero-day vulnerabilities. But the competition isn't over yet. On day three, teams like Slow Horses of Qrious Secure and PetoWorks will be targeting the Grizzl-E Smart 40A again, while the Juurin Oy team will go after the Alpitronic HYC50, and Ryo Kato will attempt to exploit the Autel MaxiCharger.
And this is the part most people miss: the first day of the contest saw the Synacktiv Team earn $35,000 by chaining an information leak and an out-of-bounds write flaw to obtain root permissions on the Tesla Infotainment System via a USB-based attack. They then took home an additional $20,000 for chaining three zero-day flaws to gain root-level code execution on the Sony XAV-9500ES digital media receiver.
You can find the full schedule for the second day and results for each challenge here, and the complete schedule for Pwn2Own Automotive 2026 here. Last year's competition saw hackers collect $886,250 after exploiting 49 zero-days, and the year before that, they took home a staggering $1,323,750 after demonstrating 49 zero-day bugs and hacking a Tesla car twice.
Vendors have 90 days to develop and release security fixes for any zero-day flaws exploited and reported during the Pwn2Own contest before TrendMicro's Zero Day Initiative makes them public. It's a race against time to secure our automotive technologies.
So, what do you think? Are these hacking contests a necessary evil to expose vulnerabilities and improve security, or do they pose a significant risk? Share your thoughts in the comments!
