44 Unique Zero-Day Vulnerabilities Discovered at Pwn2Own Automotive Are Detectable Only by VicOne Products

February 8, 2024
VicOne
44 Unique Zero-Day Vulnerabilities Discovered at Pwn2Own Automotive Are Detectable Only by VicOne Products

By Ling Cheng (Senior Product Marketing Manager)

In our previous blog entry, we discussed the significance of zero-day vulnerabilities and why zero-day threat intelligence is crucial for inclusion in automotive threat intelligence. Now, we’re thrilled to share that during the Pwn2Own Automotive event — hosted by VicOne and Trend Micro’s Zero Day Initiative (ZDI) in Tokyo, Japan, from Jan. 24 to 26, 2024 — a total of 49 unique zero-day vulnerabilities were discovered. And VicOne products are the only automotive cybersecurity products in the market that can detect 44 of these zero-day vulnerabilities. They are now detectable by our range of products, which includes: our next-generation vehicle security operations center (VSOC) platform, xNexus; our frictionless on-board intrusion detection or prevention system (IDS/IPS), xCarbon; and our superior automotive vulnerability and software bill of materials (SBOM) management system, xZETA.

Among these discoveries were vulnerabilities that allowed the NCC Group EDG team to run the popular first-person shooter game Doom on an in-vehicle infotainment (IVI) system. Additionally, Sina Kheirkhah leveraged a two-bug chain to “rickroll” an electric vehicle (EV) charging system by activating the charger’s camera, typically disabled by the manufacturer, and displaying a dancing Rick Astley.

With our exclusive zero-day threat intelligence, we’re able to provide our customers with a significant advantage over other security vendors. By offering early detection capabilities, we empower automotive OEMs, Tier 1 suppliers, and EV charging system suppliers to proactively assess risks and potential business impacts ahead of competitors. This allows our customers to determine whether their vehicle components or charging systems are vulnerable to any of the identified 44 zero-day vulnerabilities, providing a proactive approach to potential risks.

Let’s dive into our products to see how we can help.

One and only: Detection of unique zero-day vulnerabilities in ECU software packages

Addressing known vulnerabilities only is insufficient to effectively mitigate risks in the ever-changing automotive threat landscape. Unlike today’s vulnerability management systems that primarily focus on known vulnerabilities, our xZETA is designed to detect unique zero-day vulnerabilities in the firmware or binary of electronic control units (ECUs) or EV charging systems.

By leveraging xZETA, OEMs, Tier 1 suppliers, and EV charging system suppliers can proactively receive early warnings and conduct timely assessments. Now, they can detect whether any of the unique zero-day vulnerabilities is present in their ECU or charging system software packages. xZETA not only covers these specific zero-day vulnerabilities but also offers extensive detection coverage ranging from undisclosed vulnerabilities and CWEs to advanced persistent threats (APTs) and ransomware (see Figure 1). Our aim is to assist our customers in eliminating unknown-vulnerability blind spots and enhancing their overall cybersecurity posture.

Figure 1. xZETA is the only product that can detect the 49 unique zero-day vulnerabilities in software packages.

Figure 1. xZETA is the only product that can detect the unique zero-day vulnerabilities in software packages.

Protection beyond others’: Earliest risk and business impact assessment with the best zero-day automotive threat intelligence

Missing out on zero-day automotive threat intelligence can lead to unknown-vulnerability blind spots. This underscores the crucial role of effective automotive threat intelligence.

Powered by VicOne’s unique and best-in-class automotive threat intelligence, our next-generation VSOC platform, xNexus, and our frictionless on-board IDS/IPS, xCarbon, cover unique zero-day vulnerabilities. With one click, our customers can quickly assess risk and business impact through xNexus, evaluating whether the systems in use might be susceptible to exploitable zero-day vulnerabilities (see Figure 2). The VSOC team can access detailed information on important factors such as attack vectors, paths, and tactics, techniques, and procedures (TTPs) for comprehensive automotive cybersecurity insights. And even when vehicles are on the road or charging systems are operational, xCarbon can detect these zero-day vulnerabilities, giving OEMs and suppliers peace of mind.

Figure 2. With one click, our customers can quickly assess risk and business impact through xNexus.

Figure 2. With one click, our customers can quickly assess risk and business impact through xNexus.

With the strong backing of the ZDI and strategic initiatives like Pwn2Own Automotive, VicOne’s automotive threat intelligence includes unique insights into zero-day vulnerabilities. It provides the full coverage to help our customers eliminate unknown-vulnerability blind spots and gain early-assessment capabilities to safeguard their systems against cyberattacks.

Note: Given the critical nature of zero-day vulnerabilities, we follow the standard zero-day vulnerability management process. Therefore, our products are regularly updated with information reflecting vulnerability progress. This article was updated on Feb. 9, 2024, to clarify the vulnerability number.

Our News and Views

Gain Insights Into Automotive Cybersecurity

Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us