Tesla EV Charger Hacked Twice on Second Day of Pwn2Own Tokyo

The second day of the Pwn2Own Automotive 2025 hacking contest brought groundbreaking achievements in automotive security as Tesla’s Wall Connector electric vehicle (EV) charger was successfully hacked twice. Security researchers also demonstrated vulnerabilities in various EV chargers, in-vehicle infotainment (IVI) systems, and automotive technologies, exploiting a total of 23 zero-day vulnerabilities.

Tesla Wall Connector: A Double Hack

The highlight of the day was the Tesla Wall Connector being breached not once but twice. The first exploit was carried out by the PHP Hooligans, who identified and leveraged a zero-day bug known as a Numeric Range Comparison Without Minimum Check to take full control of the device. Shortly after, Synacktiv made history by using an entirely different attack vector—an exploit through the Charging Connector marking the first publicly demonstrated hack of its kind.

Additionally, two bug collisions occurred during hacking attempts on the Tesla Wall Connector. PCAutomotive and Sina Kheirkhah from the Summoning Team independently used already-known vulnerabilities, chaining two exploits together to achieve their goals.

Pwn2Own Tokyo 2025 Rules and Rewards

The Tesla Wall Connector and all other devices targeted during the competition were running the latest firmware versions and operating system patches, as required by the Pwn2Own contest rules. This ensures that all exploits demonstrated are effective even on fully updated systems, emphasizing the critical need for vendors to prioritize robust security measures.

As a result of their successful exploits, participants were awarded a total of $335,500 in cash rewards during the second day alone. Sina Kheirkhah, who led several successful demonstrations, is now at the top of the leaderboard and in contention for the prestigious title of Master of Pwn.

Broader Impact on EV and Automotive Technologies

The Tesla Wall Connector wasn’t the only target during the competition. Security researchers also identified zero-day vulnerabilities in other EV chargers, including:

WOLFBOX

ChargePoint Home Flex

Autel MaxiCharger

Phoenix Contact CHARX

EMPORIA EV chargers

Additionally, vulnerabilities were exploited in IVI systems such as the Alpine iLX-507, Kenwood DMX958XR, and Sony XAV-AX8500. These systems are integral to modern vehicles, managing everything from navigation to entertainment, which highlights the growing attack surface in the automotive sector.

A Growing Threat Landscape for EV Chargers

The vulnerabilities uncovered in EV chargers during Pwn2Own Tokyo 2025 are a wake-up call for manufacturers and regulators alike. EV chargers are becoming an essential part of infrastructure, and their security is paramount. Weaknesses in these devices could allow attackers to disrupt charging operations, steal sensitive data, or even gain access to connected networks.

The exploit demonstrated by Synacktiv through the Tesla Wall Connector’s Charging Connector is particularly concerning. As EV adoption continues to grow, attackers could target public and home charging stations to carry out widespread disruptions.

The Rise of Pwn2Own Automotive

This year’s Pwn2Own Automotive contest, held from January 22 to January 24 during the Automotive World conference in Tokyo, Japan, focuses on critical automotive technologies, including:

Car operating systems like Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX

Electric vehicle chargers

In-vehicle infotainment systems (IVI)

The competition schedule also included attempts on Tesla’s Model 3/Y (Ryzen-based) benchtop unit, but no researchers registered an attempt against it before the event.

A Record-Breaking First Day

The first day of the contest was no less eventful, with security researchers uncovering 16 unique zero-day vulnerabilities across various automotive systems and collecting a whopping $382,750 in rewards. Vendors will now have 90 days to develop and release patches before the vulnerabilities are disclosed to the public by Trend Micro’s Zero Day Initiative (ZDI).

Looking Back: Pwn2Own 2024

The previous edition of Pwn2Own Automotive, held in 2024, awarded an astonishing $1,323,750 to researchers who successfully hacked a Tesla twice and identified 49 zero-day vulnerabilities in electric car systems. These consistent discoveries show the critical need for improved automotive cybersecurity as vehicles become more connected and reliant on advanced technologies.

Key Takeaways for the Automotive Industry

The results of Pwn2Own Tokyo 2025 highlight several key trends and challenges for the automotive sector:

Increased Vulnerabilities: As more devices, from EV chargers to infotainment systems, connect to the internet, the attack surface for hackers grows.

Public Demonstrations: Successful hacks in events like Pwn2Own emphasize that even leading brands like Tesla are not immune to security flaws.

Need for Collaboration: Vendors must collaborate with security researchers to address vulnerabilities and ensure consumer safety.

The Road Ahead

With the Pwn2Own Automotive 2025 contest nearing its conclusion, it’s clear that the automotive industry faces an uphill battle in securing its rapidly expanding digital ecosystem. As EV chargers, IVI systems, and connected vehicles become integral to daily life, investing in cybersecurity will be critical to staying ahead of increasingly sophisticated attackers.

For now, the focus remains on ensuring that the vulnerabilities identified during Pwn2Own are patched quickly, safeguarding both consumers and critical infrastructure.

As the contest concludes, one thing is certain: the lessons learned at Pwn2Own Tokyo 2025 will have a lasting impact on the future of automotive cybersecurity.