Pwn2Own Automotive, the first-of-its-kind contest being driven by VicOne with Trend Micro’s Zero Day Initiative (ZDI), got off to a great start today at the Automotive World conference in Tokyo Big Sight. The massive hall was brimming with excitement as different on- and off-site teams, considered among the brightest within the ethical hacking community, prepared to make their marks during the three-day event.
First of many firsts
On Day 1 of Pwn2Own Automotive, 22 attempts were made, including some so-called “Pwn2Own After Dark” attempts, which occurred after the Automotive World’s venue had closed. In total, US$722,500 in prizes was awarded for 24 unique exploits.
Sina Kheirkhah made the first successful attempt, earning US$60,000 for executing an attack against the ChargePoint Home Flex in the Electric Vehicle Chargers category.
Figure 1. Sina Kheirkha successfully executing his attack against the ChargePoint Home Flex
Image from the ZDI
Another highlight was the contest’s first remote or off-site attempt. RET2 Systems successfully targeted the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category and earned US$60,000 in the process.
The biggest prize of the day — a whopping US$100,000 — was awarded to the Synacktiv team, for successfully executing a three-bug chain against the Tesla modem. This is the same Pwn2Own Vancouver 2023 team that used a two-bug chain to demonstrate a remote attack on a Tesla vehicle. Synacktiv also successfully demonstrated four other attack scenarios today, accumulating almost US$300,000 in cash rewards.
Figure 2. The Synacktiv team executing its three-bug chain against the Tesla modem
The following table shows the complete contest results of Pwn2Own Automotive Day 1.
| Attempt | Category | Result |
|---|---|---|
| Sina Kheirkhah targeting the ChargePoint Home Flex | Electric Vehicle Chargers | Success |
| Rob Blakely from Cromulence targeting Automotive Grade Linux | Operating Systems | Collision |
| The PCAutomotive Team targeting the Alpine Halo9 iLX-F509 | In-Vehicle Infotainment | Success |
| Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Sony XAV-AX5500 | In-Vehicle Infotainment | Success |
| The Synacktiv Team targeting the Tesla Modem with a three-bug chain | Tesla | Success |
| Katsuhiko Sato targeting the Alpine Halo9 iLX-F509 | In-Vehicle Infotainment | Success |
| Sina Kheirkhah targeting the Sony XAV-AX5500 | In-Vehicle Infotainment | Failure |
| NCC Group EDG targeting the Pioneer DMH-WT7600NEX with a three-bug chain | In-Vehicle Infotainment | Success |
| The Synacktiv Team targeting the Ubiquiti Connect EV Station with a two-bug chain | Electric Vehicle Chargers | Success |
| RET2 Systems targeting the Phoenix Contact CHARX SEC-3100 with a two-bug chain | Electric Vehicle Chargers | Success |
| Vudq16 and Q5CA from u0K++ targeting the Alpine Halo9 iLX-F509 | In-Vehicle Infotainment | Success |
| The Midnight Blue/PHP Hooligans team targeting the Sony XAV-AX5500 | In-Vehicle Infotainment | Success |
| The Synacktiv Team targeting the ChargePoint Home Flex with a two-bug chain | Electric Vehicle Chargers | Collision |
| Sina Kheirkhah targeting the Phoenix Contact CHARX SEC-3100 | Electric Vehicle Chargers | Failure |
| The Synacktiv Team targeting the JuiceBox 40 Smart EV Charging Station Electric Vehicle Chargers category with a two-bug chain | Electric Vehicle Chargers | Success |
| Gary Li Wang targeting the Sony XAV-AX5500 | In-Vehicle Infotainment | Success |
| Connor Ford of Nettitude targeting the ChargePoint Home Flex with a two-bug chain | Electric Vehicle Chargers | Collision |
| NCC Group EDG targeting the Phoenix Contact CHARX SEC-310 | Electric Vehicle Chargers | Success |
| Sina Kheirkhah targeting the JuiceBox 40 Smart EV Charging Station | Electric Vehicle Chargers | Failure |
| The Synacktiv Team targeting the Autel MaxiCharger AC Wallbox Commercial with a two-bug chain | Electric Vehicle Chargers | Success |
| Chris Anastasio and Fabius Watson of Team Cluck targeting the ChargePoint Home Flex in the Electric Vehicle Chargers category | Electric Vehicle Chargers | Collision |
| Sina Kheirkhah targeting the Pioneer DMH-WT7600NEX | In-Vehicle Infotainment | Failure |
Table 1. The complete contest results of Pwn2Own Automotive Day 1. Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known).
Live demos: EV charger vulnerabilities and a remote API attack
As the contest was raging, researchers from the ZDI and VicOne took the floor to demonstrate three intriguing attack scenarios.
Jonathan Andersson, Thanos Kaliyanakis, and Todd Manning from the ZDI walked the rapt audience through their discovery of two EV charger vulnerabilities.
Figure 3. Researchers from the ZDI demonstrating two EV charger vulnerabilities
Shin Li and Omar Yang from VicOne, on the other hand, demoed a remote API attack using compromised account credentials on a car located halfway across the world.
Figure 4. Researchers from VicOne demonstrating a remote API attack scenario
In keeping with the spirit of exploration and innovation of Pwn2Own Automotive, these demos underscored the indispensable role of automotive vulnerability discovery and the importance of robust cybersecurity protection, given the real-world impact of unaddressed flaws.
Watch the video below for a quick overview of the highlights of the kickoff of Pwn2Own Automotive from Tsutomu Shimizu of VicOne/Trend Micro Cybersecurity Institute.
Stay tuned for Day 2 of Pwn2Own Automotive by following VicOne (LinkedIn, X, blog) and the ZDI (LinkedIn, X, blog).
With contributions from Dustin Childs of the ZDI
