Tesla Hacked, 37 Zero-Days Demoed at Pwn2Own Automotive 2026

The Pwn2Own Automotive 2026 competition, staged in Tokyo alongside the Automotive World conference, pushes the envelope on automotive cybersecurity by targeting fully patched in‑vehicle infotainment (IVI) systems, electric‑vehicle chargers, and car operating platforms. This year’s showcase featured 37 zero‑day bugs against Tesla’s infotainment unit alone, underscoring how even tightly controlled consumer interfaces can harbor deep, exploitable flaws. By rewarding researchers with $516,500 on the first day, the event signals that the industry values rapid discovery and disclosure of vulnerabilities, encouraging a proactive security culture.

For original equipment manufacturers (OEMs) and charger vendors, the contest serves as a stark reminder that connected components are now prime targets for sophisticated attackers. The 90‑day remediation window mandated by TrendMicro’s Zero Day Initiative forces companies to prioritize patch development and coordinated disclosure processes. Failure to address these flaws promptly could lead to real‑world exploits, ranging from unauthorized vehicle control to manipulation of charging infrastructure, potentially jeopardizing driver safety and brand reputation. The financial incentives also highlight the economic calculus: investing in robust security testing can offset the costs of breach remediation and regulatory penalties.

Looking ahead, the automotive sector is likely to see heightened collaboration between security researchers, standards bodies, and manufacturers. As vehicles become more software‑defined, the attack surface will continue to broaden, encompassing over‑the‑air updates, telematics, and third‑party apps. Stakeholders must adopt continuous security testing, bug‑bounty programs, and secure development lifecycles to stay ahead of threat actors. The Pwn2Own results not only expose current weaknesses but also chart a roadmap for resilient, future‑proof vehicle architectures.