The Pwn2Own Automotive 2025 competition in Tokyo has once again demonstrated the vulnerabilities in automotive technology, with Tesla’s Wall Connector electric vehicle (EV) charger being hacked multiple times.
This high-profile security event, organized by Trend Micro’s Zero Day Initiative (ZDI), provides a platform for ethical hackers to uncover and exploit previously unknown software and hardware weaknesses. The latest contest, being held from January 22 to January 24, saw Tesla’s EV charger targeted by multiple teams, resulting in significant security revelations and monetary rewards for participants.
Tesla’s Wall Charger
Over the course of the competition, researchers successfully hacked Tesla’s Wall Connector multiple times, earning a total of US$129,500 in rewards. The first major exploit came from a team known as PHP Hooligans, who leveraged a “Numeric Range Comparison Without Minimum Check” zero-day vulnerability to take control of the charger and crash it. Their discovery earned them the maximum reward of US$50,000.
The Tesla Wall Connector has been christened by the PHP Hooligans. They used a Numeric Range Comparison Without Minimum Check bug (CWE-839) to take over the machine and crash it. They earn $50,000 and 5 Master of Pwn points. #P2OAuto pic.twitter.com/PlH8I0wEpQ
— Zero Day Initiative (@thezdi) January 23, 2025
Shortly after, another team, Synacktiv, a frequent hacker of Teslas at these competitions, demonstrated an innovative approach by hacking the Tesla charger via its charging connector. This method, which had never been publicly exploited before, earned them a payout of US$45,000.
Confirmed! @Synacktiv used a logic bug as a part of their chain to exploit the Tesla Wall Connector via the Charging Connector. Their outstanding (and inventive) research earns them $45,000 and 7 Master of Pwn points. pic.twitter.com/93vwcwpb0I
— Zero Day Initiative (@thezdi) January 23, 2025
Two additional teams also managed to compromise the charger, though their exploits involved previously known vulnerabilities. The PCAutomotive team secured US$22,500 for their attack, while the Summoning Team’s Sina Kheirkhah used a two-bug exploit chain to claim a US$12,500 prize. These so-called “bug collisions” demonstrate that even known vulnerabilities can continue to pose security risks if not properly patched.
Beyond Tesla’s charger, the Pwn2Own Automotive 2025 contest saw other EV chargers, including those from WOLFBOX, ChargePoint Home Flex, Autel MaxiCharger, Phoenix Contact CHARX, and EMPORIA, were also successfully compromised.
What This Means for Tesla and EV Security
The fact that Tesla’s Wall Connector was successfully hacked multiple times highlights the evolving cybersecurity threats facing EV infrastructure. While Tesla is known for its robust over-the-air (OTA) update capabilities, which allow the company to rapidly deploy security patches, the exploits demonstrated at Pwn2Own highlight the need for continuous vigilance and proactive security measures.
For EV owners, these findings reinforce the importance of keeping software and firmware up to date. Tesla and other EV manufacturers will need to work closely with cybersecurity researchers to patch vulnerabilities before malicious actors can exploit them in real-world scenarios.
Patching and Prevention
Following the conclusion of Pwn2Own, vendors – including Tesla – have a 90-day window to develop and release fixes before the discovered vulnerabilities are publicly disclosed. This grace period ensures that manufacturers have time to address security flaws before they can be exploited by bad actors.
Tesla’s continuous participation in Pwn2Own over the years demonstrates its willingness to engage with the cybersecurity community and improve the security of its products. The company has previously patched vulnerabilities identified in similar hacking contests, and it is expected to do the same with the newly discovered exploits.
