Article Details
Scrape Timestamp (UTC): 2024-01-26 12:36:14.537
Original Article Text
Click to Toggle View
Pwn2Own Automotive: $1.3M for 49 zero-days, Tesla hacked twice. The first edition of Pwn2Own Automotive has ended with competitors earning $1,323,750 for hacking Tesla twice and demoing 49 zero-day bugs in multiple electric car systems between January 24 and January 26. Throughout the contest organized by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan, during the Automotive World auto conference, hackers targeted fully patched electric vehicle (EV) chargers, infotainment systems, and car operating systems. After a zero-day vulnerability is exploited and reported to vendors during Pwn2Own, they have 90 days to release security patches before Trend Micro's Zero Day Initiative discloses it publicly. You can find the complete set of targets and the rules of Pwn2Own Automotive here. The full schedule is listed here. The Pwn2Own Automotive 2024 contest was won by Team Synacktiv, who took home $450,000 in cash, followed by fuzzware.io with $177,500 and Midnight Blue/PHP Hooligans with $80,000. Synacktiv hacked the Tesla car twice, getting root permissions on a Tesla Modem by chaining three vulnerabilities on the first day and demoing a Tesla Infotainment System sandbox escape via a two zero-day exploit chain on the second day. They also demoed two unique two-bug chains against the Ubiquiti Connect EV Station and the JuiceBox 40 Smart EV Charging Station, as well as a three-bug exploit targeting the Automotive Grade Linux OS. Synactiv also dominated the Pwn2Own Vancouver 2023 contest in March, earning $530,000 and a Tesla car for two exploit chains targeting its Gateway and Infotainment Unconfined Root. In October, at Pwn2Own Toronto 2023, hackers won over $1 million for 58 zero-day exploits and multiple bug collisions targeting consumer products, including the Samsung Galaxy S23 smartphone, multiple printer models, surveillance systems, and network-attached storage (NAS) devices. Earlier this month, ZDI announced that the Pwn2Own Vancouver 2024 competition is scheduled to take place starting March 20th during the CanSecWest 2024 Conference. The event will feature a prize pool of over $1,000,000 for exploits in various software categories and automotive systems found in Tesla Model 3 and Model S cars.
Daily Brief Summary
The first Pwn2Own Automotive contest concluded with participants earning $1,323,750 for unveiling 49 zero-day vulnerabilities in electric car systems.
Tesla vehicles were hacked twice, with Team Synacktiv claiming $450,000 for multiple exploits, including gaining root access and escaping the infotainment system sandbox.
The event took place during the Automotive World conference in Tokyo and focused on electric vehicle chargers, infotainment and car operating systems.
After hacking, vendors are provided with a 90-day window to patch the reported vulnerabilities before public disclosure by Trend Micro's Zero Day Initiative.
Synacktiv also earned significant winnings at the Pwn2Own Vancouver 2023 event and promoters have announced the Pwn2Own Vancouver 2024 with a prize pool of over $1,000,000.
The competition showcases the increasing importance of cybersecurity in the automotive industry, particularly for electric vehicles and their connected systems.