Pwn2Own Automotive Day 2: Multiple Multi-Bug Chains, a Second Tesla Attack, and Other Highlights

January 25, 2024
VicOne
Pwn2Own Automotive Day 2: Multiple Multi-Bug Chains, a Second Tesla Attack, and Other Highlights

The second day of the inaugural Pwn2Own Automotive, the first-of-its-kind contest driven by VicOne with Trend Micro’s Zero Day Initiative (ZDI), revved up with multiple teams flexing multi-bug chain attacks. Already, today’s loot and yesterday’s total exceed US$1,000,000 in prizes.

Executing multiple multi-bug chains

The first attempt on Day 2 of Pwn2Own Automotive was from Team Tortuga, composed of Philipp Spiegel and Steffen Sanwald, who staged a two-chain attack against the ChargePoint Home Flex. While the attack was designated a “collision,” since it involved an exploit that was already known, they still earned US$15,000 for this attempt.

Figure 1. Philipp Spiegel and Steffen Sanwald of Team Tortuga successfully executing their attack against the ChargePoint Home Flex

Figure 1. Philipp Spiegel and Steffen Sanwald of Team Tortuga successfully executing their attack against the ChargePoint Home Flex
Image from the ZDI

Team Tortuga seemed to set the expectation for the day as more teams combined two or even three zero-day exploits into a single exploit chain in staging their attacks. Right on the heels of Team Tortuga, the Midnight Blue/PHP Hooligans team successfully attacked the Phoenix Contact CHARX SEC-3100 using a three-bug chain, earning US$30,000.

Not to be outdone by today’s multi-bug chain challenge, the famous Synacktiv team unleashed a two-bug chain against Tesla’s in-vehicle infotainment (IVI) system. It was the contest’s — and indeed the team’s — second successful Tesla attack. Synacktiv garnered another US$100,000 for this round.

The following table shows the contest results of Pwn2Own Automotive Day 2.

AttemptCategoryResult
Team Tortuga targeting the ChargePoint Home Flex with a two-bug chainElectric Vehicle ChargersCollision
The Midnight Blue/PHP Hooligans team targeting the Phoenix Contact CHARX SEC-3100  with a three-bug chainElectric Vehicle ChargersSuccess
Daan Keuper, Thijs Alkemade and Khaled Nassar from Computest Sector 7 targeting the JuiceBox 40 Smart EV Charging StationElectric Vehicle ChargersCollision
Sina Kheirkhah targeting the Autel MaxiCharger AC Wallbox CommercialElectric Vehicle ChargersFailure
The Synacktiv Team targeting the Tesla Infotainment system with a Sandbox Escape  with a two-bug chainTeslaSuccess
NCC Group EDG targeting the Alpine Halo9 iLX-F509  with a two-bug chainIn-Vehicle InfotainmentSuccess
The PCAutomotive Team targeting the JuiceBox 40 Smart EV Charging StationElectric Vehicle ChargersFailure
Katsuhiko Sato targeting the Sony XAV-AX5500In-Vehicle InfotainmentCollision
Sina Kheirkhah targeting the EMPORIA EV Charger Level 2Electric Vehicle ChargersWithdrawn
The Synacktiv Team targeting Automotive Grade Linux  with a three-bug chainOperating SystemSuccess
Le Tran Hai Tung targeting the Alpine Halo9 iLX-F509  with a two-bug chainIn-Vehicle InfotainmentSuccess
RET2 Systems targeting the JuiceBox 40 Smart EV Charging StationElectric Vehicle ChargersSuccess
Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 targeting the Autel MaxiCharger AC Wallbox Commercial with a two-bug chainElectric Vehicle ChargersSuccess/Collision
Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the ChargePoint Home Flex with a two-bug chainElectric Vehicle ChargersSuccess
Alex Olson targeting the Phoenix Contact CHARX SEC-3100Electric Vehicle ChargersFailure
Sina Kheirkhah targeting the Alpine Halo9 iLX-F509In-Vehicle InfotainmentFailure
The Midnight Blue/PHP Hooligans team targeting the Autel MaxiCharger AC Wallbox CommercialElectric Vehicle ChargersSuccess
Chris Anastasio and Fabius Watson of Team Cluck targeting Automotive Grade LinuxOperating SystemWithdrawn
Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Autel MaxiCharger AC Wallbox Commercial with a two-bug chainElectric Vehicle ChargersCollision
Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Alpine Halo9 iLX-F509 with a two-bug chainIn-Vehicle InfotainmentCollision

Table 1. The contest results of Pwn2Own Automotive Day 2. Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known)

Playing a first-person shooter game on an IVI system

Can you play a first-person shooter game on an IVI system? It turns out that the answer is yes.

The NCC Group EDG proved that the scenario was possible when the team used a two-bug chain against the Alpine Halo9 iLX-F509. The team not only hacked the IVI system but also played a few levels of the popular first-person shooter game Doom. For this exploit, the team earned US$20,000 as well as priceless bragging rights.

The specifics of all Pwn2Own Automotive attacks, including NCC Group EDG’s successful attempt, are sparsely publicized to prevent real-world replications. But what’s for certain is that today’s occurrences of two- and three-bug chains emphasize the need to prevent unauthorized access to every component within the intricate ecosystem of connected cars. The vulnerability disclosures provide automotive manufacturers (OEMs) and Tier 1 suppliers adequate time to address the bugs and the opportunity to collaborate with the researchers who have discovered them.

Watch the video below for a quick overview of the highlights of Pwn2Own Automotive Day 2 from Tsutomu Shimizu of VicOne/Trend Micro Cybersecurity Institute.

Will there be another parade of multi-bug chains on Pwn2Own Automotive Day 3? Which team will be crowned the Master of Pwn? Stay tuned by following VicOne (LinkedIn, X, blog) and the ZDI (LinkedIn, X, blog).

With contributions from Dustin Childs of the ZDI

Our News and Views

Gain Insights Into Automotive Cybersecurity

Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us