Tesla Infotainment Vulnerability Among Security Flaws Caught at Pwn2Own Automotive Cybersecurity Challenge

The third annual Pwn2Own Automotive Cybersecurity Challenge has kicked off at the Automotive World 2026 trade show in Tokyo, Japan. This specialised contest, a spinoff of the Pwn2Own initiative, is aimed at discovering and demonstrating security vulnerabilities in connected car systems, in an ethical and safe manner, to promote awareness of emerging threats in the industry and encourage companies to patch flaws before they can be exploited by malicious actors.

Today’s interconnected vehicle, backend, and infrastructure systems make cars more vulnerable to digital attacks than ever before.  

The competition, sponsored by security firm Trend Micro’s Zero Day Initiative, awards cash and prizes to security researchers who successfully demonstrate that they can exploit flaws in products that are in wide circulation and/or of high value. Exploits should be able to give the attackers significant privileges. They can be easily discoverable, or could require someone to fall victim to a social engineering prompt.

On day one of the 2026 Pwn2Own Automotive contest, 37 unique flaws were demonstrated successfully, with contestants claiming $516,500 (approximately ₹4,72,88,160) in cash. The most prominent flaw of the day was in Tesla’s infotainment system, which was compromised by team Synacktiv. By chaining two vulnerabilities, the team was able to obtain root administrator access. The same team also showed that it was able to execute code at root level on a Sony XAV-9500ES digital media receiver. 

In 2024, Tesla rewarded Team Synacktiv with a $200,000 cash prize and a Model 3 for demonstrating a chain of attacks that could have been used by malicious attackers to compromise a Tesla’s CAN (control area network) bus and ECU (electronic control unit). In theory, such a serious flaw could have allowed attackers to interfere with a Tesla car's engine and transmission control, battery management, powertrain, suspension, door and seat controls, telematics, and other critical systems. 

Charging equipment from Grizzl-E, Alpitronic, Autel, ChargePoint, and Phoenix Contact, along with infotainment systems from Sony, Kenwood and Alpine were the products most frequently targeted by security research teams on day one of the contest. It is set to continue over two more days, at the end of which the winner of the highest number of “Master of Pwn” points will be declared.