Pwn2Own Automotive Returns to Tokyo with Expanded Chargers and More!

If you just want to read the rules, click here.

 Now entering its third year, Pwn2Own Automotive returns to Automotive World in Tokyo on January 21 – 23, 2026. Over the last two years, we’ve awarded more than $2,000,000 for the latest in automotive exploitations, and this year looks to be even better.

As always, we’re pleased to be working with our cohorts over at VicOne again. Their help was instrumental in the success we had at our first event, and we’re glad to be partnering with them once more. Tesla also returns as a sponsor. They’ve worked with us since 2019, and their help has been crucial in advancing the state of the art in automotive research. This year, we’re introducing a new supercharger category and Alpitronic has joined as a partner and provided their Level 3 charger as a target. Superchargers are a whole new level of targets, and we’re interested to see what researchers bring. Finally, the Open Charge Alliance joins as a partner and brings their OCPP Compliance Test Tool (OCTT) as a target. To say that we’re charged up for this year’s event is a horrible pun but a true statement. We can’t wait to see what researchers bring to the contest.

As with other Pwn2Own events, we’ll have a random drawing to determine the schedule of attempts the day before the contest, and we will proceed from there. As always, if you have questions, don't hesitate to get in touch with us at pwn2own@trendmicro.com. We will be happy to address your issues or concerns directly.

Now on to the six categories we’ll have for this year’s Pwn2Own Automotive event:

Since its introduction to Pwn2Own in 2019, the Tesla category has always been a highlight, with some of the most innovative research being demonstrated on the EV. At the inaugural Pwn2Own Automotive, the team from Synacktiv exploited it twice on their way to winning Master of Pwn. Contestants can register an entry against the Tesla Model 3/Y (Ryzen-based) equivalent bench top unit, and it wouldn’t surprise me if someone needs to run their exploits in an RF enclosure to prevent interference with vehicles that might be driving by.  Also note that while a Tesla is available as a prize, not every successful attempt will win the vehicle itself. Some targets will require you to exploit multiple subsystems to reach the selected target. The prize amount is based on where the final code execution occurs. Some of the targets have add-ons available, but to drive away in your new ride, you need to target one of the entries marked “Vehicle Included” in the table below. Also note that the targets have changed a bit this year to keep things interesting.

As usual, there are a few “add-ons” you can go for if you really want to show your stuff.

Other highlights from the inaugural contest were found in the IVI category, which saw the NCC Group put a playable version of Doom on an Alpine system. More than just stereos, the modern IVI is the gateway to your car’s internal systems. Navigation, in-car internet, and Wi-Fi are provided through these devices, but they also serve a connection to other vehicle systems through the CAN bus – making them a ripe target for attackers. These devices are also retrofitted to existing vehicles to modern capabilities – and perhaps modern vulnerabilities as well. This year, we’ve made it a little more complicated than in year’s past, so be sure to review the rules for the full details. Here are the systems available as targets in the IVI category:

This is a new category for us this year and is brought to us by our new partner Aplitronic. Level 3 charger are usually referred to as “superchargers”, and we expect some super exploits to be demonstrated at the event. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols or physical interfaces that are accessible to a typical user. Entries requiring ARP spoofing, DNS spoofing, machine in the middle (MITM), or any assumptions involving control over external infrastructure are out of scope.

At previous Pwn2Own Automotive events, this proved to be the most popular category with every charger targeted at least once. Last year, contestants also demonstrated how the EV chargers could be used to communicate – and thus exploit – to the vehicle itself. The Tesla wall charger returns as a target, and it is joined by the Ford Connected Charger as well. Attack surfaces in scope for the contest include mobile apps, Bluetooth Low Energy (BLE) connections, and the OCPP protocol could all allow threat actor to cause harm to an EV. There’s no official bonus for style points; but we always love exploits that make us laugh. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols/physical interfaces that are accessible to a typical user.

As we did last year, there are a couple of additional challenges you can add on to your attempt. The first extra challenge is a Charging Connector Protocol/Signal Manipulation attack. The entry must gain code execution on the EV Charger and the resulting payload must manipulate the protocol and/or signals being transmitted via the Charging Connector. If you can accomplish this, you’ll earn an extra $10,000 and 1 more Master of Pwn point. Really want a challenge? Then go for the Charging Connector Attack. For this one, the entry must originate from the Charging Connector and compromise the EV Charger. If you accomplish this one, it earns you an additional $20,000 and 2 more Master of Pwn points.

New for this year’s event is the Open Charge Alliance category. According to their charter, “The goal of the Open Charge Point Protocol (OCPP) is to provide a uniform method of communication between charge points and central systems.” As such, the protocol could prove an attractive attack surface for attackers. The OCPP Compliance Test Tool (OCTT) is the target in this category with a $15,000 award. As this is a new category, please read the rules carefully and ask any questions you may have to ensure your entry is valid.

It’s odd to think of operating systems within a car, but they are there – and they’re there in abundance. If you drive a recent Mercedes, Subaru, Mazda, or Toyota, there’s a good chance you’re also driving something with Automotive Grade Linux (AGL) installed. How do these onboard OSes compare to their desktop counterparts? Previous events saw AGL successfully targeted. This year, Entries against the AGL target are eligible for an additional $10,000 bonus if the entry leverages vulnerabilities in the BlueZ or the ConnMan subsystems. It will be intriguing to see if the other OSes are targeted this year. An attempt in this category must be launched against the target's exposed services/features or launched against the target’s communication protocols that are accessible to a typical user.

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2026).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt.

The Complete Details

The full set of rules for Pwn2Own Automotive 2026 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at pwn2own@trendmicro.com to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing the day before the contest to determine the contest order. Registration closes at 5:00 p.m. Japanese Standard Time on January 15, 2026.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. Be sure to keep an eye on the blog for the latest information. We’ll also be posting live results on Twitter, Mastodon, LinkedIn, and Bluesky, so follow us on your favorite social platform for the latest news, and keep an eye on the #P2OAuto hashtag for continuing coverage.

We look forward to seeing everyone in Tokyo, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Automotive 2025 partners, Tesla, Alpitronics and the Open Charge Alliance, for providing their assistance and technology. Thanks also to the researchers from VicOne for their guidance and recommendations.