The annual Pwn2Own Automotive hacking contest returned this week in Tokyo, bringing together some of the world’s top security researchers to probe the defenses of modern vehicle technology. Among the systems tested on day one was Tesla’s in-vehicle infotainment platform, which researchers managed to compromise under the contest’s tightly controlled rules.
On day one of Pwn2Own Automotive 2026, researchers demonstrated 37 previously unknown vulnerabilities—commonly referred to as zero-day exploits—across a range of automotive technologies. Among them was Tesla’s infotainment platform, which was targeted in the USB-based attack category.
The Synacktiv team, a familiar name at Pwn2Own events involving Tesla, successfully chained multiple vulnerabilities to gain root-level access to the system, earning a US$35,000 payout.
The exploit required physical access and relied on multiple flaws working together, a key distinction that separates research demonstrations from practical attacks. As with prior Tesla-related entries at Pwn2Own, the vehicle systems were fully patched before the competition began, ensuring researchers were working against Tesla’s latest publicly available software.
Tesla’s appearance at this year’s contest continues a long trend of participation in ethical hacking challenges. In previous years, researchers have demonstrated exploits against Tesla Wall Connectors, infotainment systems, and electronic control units (ECUs), sometimes earning six-figure rewards and even vehicles as prizes.
These efforts have consistently taken place under tightly controlled conditions, with findings disclosed privately to Tesla before any public release.
A core part of the Pwn2Own process is the 90-day disclosure window managed by Trend Micro’s Zero Day Initiative. During this period, Tesla and other affected vendors are given time to develop, test, and deploy security updates before technical details are published. For Tesla, this window aligns well with its over-the-air (OTA) update capability, allowing fixes to be rolled out rapidly without requiring service visits.
While the infotainment system was the focus of this year’s Tesla-related exploit, there was no indication that safety-critical driving systems were impacted. Tesla’s vehicle architecture separates infotainment functions from core driving controls, a design choice intended to limit the consequences of a successful breach.
