By Ling Cheng (Senior Product Marketing Manager)
Google’s Project Zero recently announced its discovery of a zero-day vulnerability in real-world source code using Big Sleep, its framework assisted by large language models (LLMs). The project demonstrated how an AI-driven agent successfully identified an exploitable stack buffer overflow vulnerability in SQLite, a widely used open-source database engine.
While the Big Sleep research is still in its early stages, it highlights the promising potential of AI to augment testing methodologies for uncovering zero-day vulnerabilities, particularly those difficult to detect with existing methods.
Why zero-day vulnerabilities matter
A zero-day vulnerability is a hidden, high-risk threat that attackers can exploit before it is widely known. If a zero-day attack occurs unexpectedly and no solution is available, companies might face costly recalls and serious reputational damage.
Dealing with a zero-day vulnerability can be highly challenging, with the threat stemming from three key scenarios:
- Attackers know about the vulnerability, but no one else does.
- Attackers know about the vulnerability, and only a small group of insiders or dark web users are aware of it.
- Attackers know about the vulnerability, but the affected company remains completely unaware.
When companies are unaware of zero-day vulnerabilities, they cannot defend against attacks or address the issues. This makes zero-day attacks highly likely to succeed and cause rapid, significant damage.
What’s more concerning is that many companies rely solely on Common Vulnerabilities and Exposures (CVEs) — standardized identifiers for publicly disclosed cybersecurity vulnerabilities — for product security. However, CVEs don’t account for zero-day threats that aren’t listed in known databases. In short, companies, including those in the automotive industry, remain susceptible to unpredictable risks without proactive defenses.
A comprehensive approach to uncovering zero-day vulnerabilities
In addition to using AI agents such as Project Zero’s Big Sleep to learn from known vulnerabilities and analyze source code, here are other approaches to uncovering potential vulnerabilities:
- Penetration testing: Conduct thorough assessments to identify vulnerabilities within systems.
- Dark web monitoring: Track zero-day vulnerabilities and attack methods on the dark web, and verify credible threats using strong technical expertise.
- Vulnerability acquisition and intelligence sharing: Collaborate with trusted vulnerability experts such as Trend Micro’s Zero Day Initiative (ZDI) to access high-quality zero-day intelligence.
- Automotive hacking contests: Engage in competitions, such as Pwn2Own Automotive, that challenge ethical hackers to find vulnerabilities without access to source code, thus encouraging creative and novel threat detection methodologies.
At VicOne, we fully recognize the critical impact that zero-day vulnerabilities can have on the automotive industry. This is why we employ the aforementioned proactive strategies to uncover and address these threats.
Figure 1. VicOne’s comprehensive approach to uncovering automotive zero-day vulnerabilities
Aside from actively monitoring and acquiring zero-day threat intelligence, we have made significant strides in our research leveraging AI-powered solutions in uncovering zero-day vulnerabilities and Common Weakness Enumerations (CWEs) in automotive software.
We’re also committed to advancing our efforts with Pwn2Own Automotive, the only event of its kind in the world dedicated to vulnerabilities in connected car technologies. In Pwn2Own Automotive 2024, researchers discovered 49 unique zero-day vulnerabilities in just three days — including one that could enable remote control of a Tesla vehicle and a couple that could allow manipulation of an electric vehicle (EV) charging station, potentially overloading the power grid.
These comprehensive efforts — AI-powered automotive cybersecurity solutions and other advanced strategies — demonstrate not only VicOne’s leadership in automotive zero-day vulnerability intelligence but also our unwavering commitment to protecting connected vehicles amidst a rapidly evolving threat landscape.
