Article Details
Scrape Timestamp (UTC): 2024-01-25 15:51:26.883
Original Article Text
Click to Toggle View
Tesla hacked again, 24 more zero-days exploited at Pwn2Own Tokyo. Security researchers hacked the Tesla infotainment system and demoed 24 more zero-days on the second day of the Pwn2Own Automotive 2024 hacking competition. Synacktiv Team (@Synacktiv) took home $100,000 after chaining two zero-day bugs for a sandbox escape to hack the Tesla Infotainment System. They also used a three-chain zero-day exploit to hack the Automotive Grade Linux operating system for an additional $35,000. On the first day of Pwn2Own Automotive 2024, Synacktiv also collected another $295,000 after getting root on a Tesla Modem and hacking Ubiquiti Connect EV and JuiceBox 40 Smart EV Charging Stations using three chains, exploiting a total of seven zero-days. Throughout the second day, competitors demoed 24 unique bugs and earned $382,500, totaling 48 zero-days and $1,101,500 since the start of the competition. After the Pwn2Own competition ends, vendors have 90 days to release security fixes before TrendMicro's Zero Day Initiative publicly discloses the zero-days. The Pwn2Own Automotive 2024 hacking contest takes place in Tokyo, Japan, during the Automotive World auto conference from January 24 to January 26, focusing on automotive technologies. During the contest, the hackers target electric vehicle (EV) chargers, infotainment systems, and car operating systems, including Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX. They'll also attack Tesla Model 3/Y (Ryzen-based) and Tesla Model S/X (Ryzen-based) units, including the in-vehicle infotainment (IVI) and modem systems, both already hacked during the first two days of the tournament. The top prize that can be earned is $200,000 in cash and a Tesla car for VCSEC, gateway, or autopilot zero-day vulnerabilities. The complete schedule of this year's automotive hacking contest is here, while the full schedule for the second day and the results for each challenge are available here. Security researchers also earned $1,035,000 and a Tesla Model 3 car during the Pwn2Own Vancouver 2023 competition in March after demoing a total of 27 zero-days and several bug collisions.
Daily Brief Summary
Synacktiv Team secured $100,000 for exploiting two zero-day vulnerabilities to compromise Tesla's Infotainment System.
They also exploited a three-bug zero-day chain in the Automotive Grade Linux OS, earning an additional $35,000.
On the first day, Synacktiv earned $295,000 by rooting a Tesla Modem and hacking various EV charging stations.
In total, 48 unique zero-days were discovered during the competition, with prizes amounting to $1,101,500.
Vendors are given a 90-day deadline to address the vulnerabilities before they are publicly disclosed by TrendMicro’s Zero Day Initiative.
Pwn2Own Automotive 2024 is held as part of the Automotive World conference in Tokyo, with a focus on vehicle and EV charger security.
The competition challenges participants to hack EV chargers, operating systems, and infotainment systems, with a top prize of $200,000 and a Tesla car.
The event follows a successful Pwn2Own Vancouver 2023 where researchers earned $1,035,000 and a Tesla Model 3.