By Gloria Chen (Senior Threat Researcher, Automotive), Spencer Hsieh (Staff Threat Researcher, Automotive), Shin Li (Staff Threat Researcher, Automotive), Omar Yang (Senior Threat Researcher, Automotive)
It has been several weeks since the conclusion of the inaugural edition of Pwn2Own Automotive, yet we’re still finding more to unpack from the three-day event hosted by VicOne with Trend Micro’s Zero Day Initiative (ZDI). In 51 challenges across the competition’s four major categories — Tesla, operating systems, in-vehicle infotainment (IVI) systems, and electric vehicle (EV) chargers — 17 teams and individuals from around the globe put their skills on display at this first-ever automotive-centered Pwn2Own. Participants took home cash prizes and the Synacktiv team was hailed the overall winner, aka the Master of Pwn. However, the real reward for the automotive industry is the 49 unique zero-day vulnerabilities uncovered during the event and the opportunity to address them.
In this blog entry, we share our own insights, looking beyond the numbers to focus on emerging security gaps and prevalent trends.
Key observations and takeaways
Pwn2Own Automotive not only highlighted significant vulnerabilities across various automotive systems and components, but also hinted at general trends within the field. We summarize here our own impressions, from emergent security gaps and vulnerabilities to the overall level of expertise displayed during the event.
Differing levels of security across categories
Tesla emerged as the most secure among the showcased systems, boasting a robust security framework and maintaining strong support for its bug bounty program.
Conversely, charging controllers exhibited the lowest level of security measures, reminiscent of devices from the 1990s. These controllers lack modern security features like data execution prevention (DEP), address space layout randomization (ASLR), and buffer security check, which are commonly found in contemporary operating systems.
Firmware accessibility also varied among the devices, with IVI system and charging station firmware proving more challenging to obtain than Windows or Linux binaries. Despite this, the security mechanisms employed in these devices lag behind major operating systems.
The need for improved security for the entire vehicle ecosystem
Participants appeared to gravitate toward perceived easier targets. The disparity in security attention was evident: Only one team targeted Tesla whereas eight teams focused on EV chargers. This discrepancy underscores the urgent need for heightened security measures across the automotive industry.
The gap between vendors and security experts
After each attempt, discovered vulnerabilities were disclosed to the engineers who represented participating vendors. We observed that certain vendors appeared to lack sufficient cybersecurity knowledge to understand discovered flaws. This knowledge gap presents an opportunity to enhance the security posture of automotive systems, through the help of security experts and solutions. It should be noted, however, that the participation of vendors in Pwn2Own Automotive shows readiness to remedy blind spots.
Prevalent yet actionable security issues
The event also emphasized prevalent yet actionable security gaps.
One significant issue we have observed in the automotive industry is the inability to update many existing chip security flaws, which necessitates replacement rather than updating. Consequently, enabling over-the-air (OTA) updates for chips in next-generation EVs is an important challenge to address.
Another observation is the prevalence of debug interfaces like JTAG on charging devices, which poses a serious security risk, facilitating unauthorized access and exploitation. The same issue was even used by researchers from the ZDI in their on-site demo at Pwn2Own Automotive.
Shortcomings in the development process
We observed the efficiency of static application security testing (SAST) in uncovering vulnerabilities within a short time frame. This highlights shortcomings in the development process of automotive components, suggesting the need for more rigorous security testing protocols.
The importance of vulnerability discovery
Generating insights such as these is part of the reason that VicOne hosted with the ZDI a Pwn2Own event focusing on ethical hacking in the automotive industry.
As leaders in discovering zero-day vulnerabilities in automotive systems, VicOne remains dedicated to addressing the evolving automotive ecosystem and the extensive attack surface it presents. In addition to providing automotive cybersecurity solutions for manufacturers, suppliers, and the entire automotive network, VicOne aims to address real-world problems through genuine research and collaboration, inviting experts to uncover vulnerabilities in automotive systems to drive technological advancements and safeguard connected vehicles from various cyberthreats.
