JSTORIES ー With the growing prevalence of connected cars — vehicles integrated with the internet and external systems — driving efficiency, safety, and convenience have significantly improved. However, this increased network connectivity has raised concerns about the heightened risks of cyberattacks, such as hacking into steering controls or theft of personal information.
Amid these concerns, a global contest featuring white-hat hackers — a person who hacks into a computer system to help expose flaws — was held in Tokyo to preemptively identify vulnerabilities in connected car applications and operating systems. The goal was to address undiscovered flaws (security gaps not yet recognized by software manufacturers and thus lacking patches or defenses) before malicious hackers can exploit them.
Pwn2Own Automotive 2025 at Tokyo Big Sight
The world’s largest zero-day vulnerability contest, Pwn2Own Automotive 2025, took place at Tokyo Big Sight. (Zero-day means software or hardware vulnerabilities that are unknown to the vendor or public and have no patches or fixes.) Hosted by VicOne, a cybersecurity company for automobiles and a subsidiary of Trend Micro, in collaboration with the Zero Day Initiative (ZDI), this marked the second edition of the contest following its inaugural event last year.
This year, 21 teams from 13 countries participated, competing across three categories: In-Vehicle Infotainment systems, electric vehicle (EV) chargers, and operating systems. Contestants aimed to discover unknown vulnerabilities, with successful participants earning points and cash prizes of up to $500,000. The team with the most points was awarded the prestigious title of Master of Pwn.
The contest saw remarkable achievements, with a total of 49 zero-day vulnerabilities (a security flaw in software or hardware that is discovered by attackers before the vendor becomes aware of it or has a chance to fix it) discovered over the three-day event. U.K.-based cybersecurity researcher Sina Kheirkhah from Summoning Team claimed the title of Master of Pwn, receiving $222,250 in prize money.
Pwn2Own Automotive, which was first held in 2024, has only been held in Japan so far. The event aligns with Automotive World, a prominent trade show in Tokyo focused on automotive technology. The organizer, Max Cheng, CEO of VicOne, says that the setting offers an ideal opportunity to engage directly with the industry’s key players and showcase the importance of cybersecurity in automotive technology.
“Japan’s automotive industry is one of the largest globally, even surpassing the U.S. in scale. Its reputation for safety and quality standards makes it an ideal place for us to develop and refine our cybersecurity solutions,” Cheng said.
Japan’s leadership in automotive technology, combined with its established reputation in cybersecurity through companies like Trend Micro, positions it as a strategic location for events like Pwn2Own Automotive. “Hosting the event in Japan allows us to raise awareness about the critical importance of cybersecurity in the automotive sector, especially as cars become more connected and vulnerable to attacks,” Cheng added.
Addressing new risks to connected and electric vehicles
As electric vehicles and connected vehicles become more prevalent, so do unique cybersecurity risks. In 2023, global electric car sales reached approximately 14 million units, accounting for about 18% of total passenger car sales, up from around 4% in 2020. Additionally, it is projected that by 2025, there will be over 400 million connected cars in operation worldwide, up from approximately 237 million in 2021. This rapid rise introduces new attack vectors, making robust cybersecurity measures essential.
“One example is vulnerabilities in charging infrastructure. Cybercriminals could exploit these systems to penetrate vehicles, something most people don’t consider,” Cheng said. Furthermore, advancements like 5G, Wi-Fi, and Bluetooth continue to open new pathways for cyberattacks, highlighting the need for heightened security.
Cheng also highlights a common misconception: “It’s not just EVs that are at risk. Any vehicle with an internal operating system, including hybrids, is susceptible to cyberattacks. As Japan’s EV market grows, so will the need for advanced cybersecurity solutions.”
The role of AI in automotive cybersecurity
Artificial intelligence has transformed the automotive sector but has also introduced new challenges.
“AI systems in vehicles, like voice controls, can be hijacked or malfunction, leading to dangerous situations,” Cheng said. “There’s also the risk of leaking personal data.”
VicOne is addressing these challenges by developing AI-powered tools that secure vehicles while protecting sensitive information.
“We use AI not only to secure these systems but also to monitor and detect breaches more efficiently,” Cheng said.
The importance of identifying zero-day vulnerabilities
This contest is designed to test cutting-edge automotive technologies in real-world conditions, identifying vulnerabilities before they can be exploited on the black market. By enabling quick countermeasures, it aims to enhance automotive cybersecurity. Additionally, through its generous prizes and recognition, the event fosters the growth of security research and helps cultivate the next generation of cybersecurity talent. Cheng believes this initiative is crucial for both innovation and safety in the industry.
“Through events like Pwn2Own, we not only address current threats but also build a stronger foundation for the future of automotive security,” Cheng said.
Written by Anita De Michele
Interview by J-Stories (Lucas Maltzman, Anita De Michele)
Editing by Mark Goldsmith
Top Photo by VicOne
For inquiries regarding this article, please contact jstories@pacificbridge.jp
Click here for the Japanese version of the article
