Tesla Hacked Four Times in One Day: Pwn2Own Contest Yields $129,500 in Bounties
A team of ethical hackers at the Pwn2Own Automotive competition successfully hacked a Tesla product four times in a single day, earning themselves $129,500 in prize money—and prompting fresh concerns about the cybersecurity risks facing car owners. The event underscores the growing threat to internet-connected vehicles and associated infrastructure at a time when automakers are increasingly relying on smart technology.
What Is Pwn2Own?
Pwn2Own is a prestigious hacking competition, organized annually by the Trend Micro Zero Day Initiative, which brings together top security researchers from around the world. It challenges participants to compromise different technologies, from smartphones to routers and, for the second year in a row, automotive products. Rewards, or “bounties,” are offered for each unique, previously undiscovered zero-day exploit uncovered.
The goal of the competition is twofold:
- Identify and Fix Vulnerabilities: Vendors get early warnings about weaknesses in their products, enabling them to patch them before malicious actors can take advantage.
- Reward Ethical Hacking: Successful researchers receive monetary prizes and recognition, incentivizing legitimate, legal methods of discovering and reporting security flaws.
Tesla’s Wall Connector Under Fire
Unlike last year’s auto-focused Pwn2Own event—where participating hackers walked away with $1,323,750 in total—this year’s contest zeroed in on the Tesla Wall Connector, a home-charging device for Tesla vehicles. Several elite hacking teams found vulnerabilities in the hardware, each discovering different exploits. While the full technical details will remain under wraps for 90 days—giving Tesla ample time to create and distribute patches—here’s what we know about the four successful attacks:
- $50,000 Hack by PHP Hooligans
- Method: A zero-day exploit that crashed the Tesla Wall Connector.
- Technical Basis: A Numeric Range Comparison Without Minimum Check bug (CWE-839).
- Outcome: Researchers were able to take control of the charger and force it offline, showcasing a critical vulnerability that Tesla will need to address quickly.
- $45,000 Hack by Synacktiv Team
- Method: A sophisticated exploit chain leveraging a logic bug.
- Entry Point: Access through the charging connector itself, demonstrating attackers’ ability to compromise a critical path used every day by Tesla owners.
- Outcome: Described by organizers as “outstanding and inventive research,” the hack showcased how a well-crafted series of steps can bypass existing security measures.
- $22,500 Hack by PC Automotive
- Method: Used a previously known vulnerability (also known as a ‘collision’) as part of its overall compromise strategy.
- Outcome: Exploited the Wall Connector to breach functionality—proof that even known weaknesses can be chained into a successful hack if not fully patched.
- $12,500 Hack by Summoning Team
- Method: A two-vulnerability chain.
- Outcome: Again, hackers managed to compromise the device, revealing the layered complexities of a well-orchestrated attack.
Why It Matters
Internet-connected vehicles and the chargers that power them are essentially computers on wheels (and in homes). While the Tesla Wall Connector offers convenience to drivers, these events highlight potential weaknesses that determined attackers could exploit. Moreover:
- Rapid Adoption of EVs: As more people embrace electric vehicles, the infrastructure around them, such as charging stations, becomes a bigger target for cybercriminals.
- Increasing Connectivity: Automotive tech is increasingly intertwined with Wi-Fi and cellular networks, widening the attack surface.
- Financial & Safety Risks: In a worst-case scenario, attackers may not only target personal data but could disrupt the charging process itself.
What Happens Next?
The 90-day disclosure window allows Tesla time to release patches or firmware updates that will protect consumers from the newly uncovered vulnerabilities. Once that period has ended, full exploit details will be made public, giving the broader cybersecurity community insights into how these attacks were executed.
Tesla, co-sponsor of Pwn2Own Automotive this year, stands to benefit from the discoveries: by acknowledging the vulnerabilities now, the automaker can roll out updates before malicious actors replicate the exploits.
Staying Safe as a Tesla Owner
While the exploits discovered target a specific Tesla product, it’s a reminder that any connected device—from laptops to smartphones and, yes, even cars—can be at risk. Tesla owners should:
- Install Updates Promptly: Always apply software and firmware updates as soon as they are available.
- Monitor Official Channels: Follow Tesla’s announcements for any security alerts or recall information.
- Stay Informed: Keep an eye on cybersecurity news to understand emerging threats and protective measures.
Pwn2Own remains a vital event in the cybersecurity landscape, showcasing just how creative and determined ethical hackers can be. By uncovering the weaknesses in Tesla’s charging infrastructure, these researchers help ensure that Tesla owners—and the automotive industry at large—stay one step ahead of criminal hackers.