Tesla hacked, 24 zero-days demoed at Pwn2Own Automotive 2024


Security researchers hacked a Tesla Modem and collected awards of $722,500 on the first day of Pwn2Own Automotive 2024 for three bug collisions and 24 unique zero-day exploits.

Synacktiv Team (@Synacktiv) took home $100,000 after successfully chaining three zero-day bugs to get root permissions on a Tesla Modem.

They also used two unique two-bug chains to hack a Ubiquiti Connect EV Station and a JuiceBox 40 Smart EV Charging Station, earning an additional $120,000.

A third exploit chain targeting the ChargePoint Home Flex EV charger was already known but still brought them $16,000 in cash, with a total of $295,000 in prizes during the first day of the contest.

Security researchers also successfully hacked multiple fully patched EV charging stations and infotainment systems, with the NCC Group EDG team taking the second place on the leaderboard after winning $70,000 for zero-days exploited to hack the Pioneer DMH-WT7600NEX infotainment system and the Phoenix Contact CHARX SEC-3100 EV charger.

After the zero-day bugs are exploited and reported during the Pwn2Own competition, vendors have 90 days to develop and release security fixes before TrendMicro’s Zero Day Initiative publicly discloses them.

Pwn2Own rankings after first day
Leaderboard after the first day of Pwn2Own Automotive

​The Pwn2Own Automotive 2024 hacking contest focuses on automotive technologies and takes place this week in Tokyo, Japan, during the Automotive World auto conference between January 24 and January 26.

Throughout the competition, security researchers will be able to target Tesla in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems (i.e., Automotive Grade Linux, BlackBerry QNX, Android Automotive OS).

They’ll also demo zero-day exploits targeting Tesla Model 3/Y (Ryzen-based) or Tesla Model S/X (Ryzen-based) systems, including the infotainment system, modem, tuner, wireless, and autopilot.

The top prize will be awarded for VCSEC, gateway, or autopilot zero-days, with a cash award of $200,000 and a Tesla car.

You can find the complete schedule of this year’s automotive hacking contest here. The full schedule for the first day and the results for each challenge are available here.

During the Pwn2Own Vancouver 2023 competition in March, security researchers earned $1,035,000 and a Tesla Model 3 car after demoing 27 zero-day (and several bug collisions).





Source link