The second day of the inaugural Pwn2Own Automotive, the first-of-its-kind contest driven by VicOne with Trend Micro’s Zero Day Initiative (ZDI), revved up with multiple teams flexing multi-bug chain attacks. Already, today’s loot and yesterday’s total exceed US$1,000,000 in prizes.
Executing multiple multi-bug chains
The first attempt on Day 2 of Pwn2Own Automotive was from Team Tortuga, composed of Philipp Spiegel and Steffen Sanwald, who staged a two-chain attack against the ChargePoint Home Flex. While the attack was designated a “collision,” since it involved an exploit that was already known, they still earned US$15,000 for this attempt.
Figure 1. Philipp Spiegel and Steffen Sanwald of Team Tortuga successfully executing their attack against the ChargePoint Home Flex
Image from the ZDI
Team Tortuga seemed to set the expectation for the day as more teams combined two or even three zero-day exploits into a single exploit chain in staging their attacks. Right on the heels of Team Tortuga, the Midnight Blue/PHP Hooligans team successfully attacked the Phoenix Contact CHARX SEC-3100 using a three-bug chain, earning US$30,000.
Not to be outdone by today’s multi-bug chain challenge, the famous Synacktiv team unleashed a two-bug chain against Tesla’s in-vehicle infotainment (IVI) system. It was the contest’s — and indeed the team’s — second successful Tesla attack. Synacktiv garnered another US$100,000 for this round.
The following table shows the contest results of Pwn2Own Automotive Day 2.
| Attempt | Category | Result |
|---|---|---|
| Team Tortuga targeting the ChargePoint Home Flex with a two-bug chain | Electric Vehicle Chargers | Collision |
| The Midnight Blue/PHP Hooligans team targeting the Phoenix Contact CHARX SEC-3100 with a three-bug chain | Electric Vehicle Chargers | Success |
| Daan Keuper, Thijs Alkemade and Khaled Nassar from Computest Sector 7 targeting the JuiceBox 40 Smart EV Charging Station | Electric Vehicle Chargers | Collision |
| Sina Kheirkhah targeting the Autel MaxiCharger AC Wallbox Commercial | Electric Vehicle Chargers | Failure |
| The Synacktiv Team targeting the Tesla Infotainment system with a Sandbox Escape with a two-bug chain | Tesla | Success |
| NCC Group EDG targeting the Alpine Halo9 iLX-F509 with a two-bug chain | In-Vehicle Infotainment | Success |
| The PCAutomotive Team targeting the JuiceBox 40 Smart EV Charging Station | Electric Vehicle Chargers | Failure |
| Katsuhiko Sato targeting the Sony XAV-AX5500 | In-Vehicle Infotainment | Collision |
| Sina Kheirkhah targeting the EMPORIA EV Charger Level 2 | Electric Vehicle Chargers | Withdrawn |
| The Synacktiv Team targeting Automotive Grade Linux with a three-bug chain | Operating System | Success |
| Le Tran Hai Tung targeting the Alpine Halo9 iLX-F509 with a two-bug chain | In-Vehicle Infotainment | Success |
| RET2 Systems targeting the JuiceBox 40 Smart EV Charging Station | Electric Vehicle Chargers | Success |
| Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 targeting the Autel MaxiCharger AC Wallbox Commercial with a two-bug chain | Electric Vehicle Chargers | Success/Collision |
| Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the ChargePoint Home Flex with a two-bug chain | Electric Vehicle Chargers | Success |
| Alex Olson targeting the Phoenix Contact CHARX SEC-3100 | Electric Vehicle Chargers | Failure |
| Sina Kheirkhah targeting the Alpine Halo9 iLX-F509 | In-Vehicle Infotainment | Failure |
| The Midnight Blue/PHP Hooligans team targeting the Autel MaxiCharger AC Wallbox Commercial | Electric Vehicle Chargers | Success |
| Chris Anastasio and Fabius Watson of Team Cluck targeting Automotive Grade Linux | Operating System | Withdrawn |
| Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Autel MaxiCharger AC Wallbox Commercial with a two-bug chain | Electric Vehicle Chargers | Collision |
| Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Alpine Halo9 iLX-F509 with a two-bug chain | In-Vehicle Infotainment | Collision |
Table 1. The contest results of Pwn2Own Automotive Day 2. Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known)
Playing a first-person shooter game on an IVI system
Can you play a first-person shooter game on an IVI system? It turns out that the answer is yes.
The NCC Group EDG proved that the scenario was possible when the team used a two-bug chain against the Alpine Halo9 iLX-F509. The team not only hacked the IVI system but also played a few levels of the popular first-person shooter game Doom. For this exploit, the team earned US$20,000 as well as priceless bragging rights.
The specifics of all Pwn2Own Automotive attacks, including NCC Group EDG’s successful attempt, are sparsely publicized to prevent real-world replications. But what’s for certain is that today’s occurrences of two- and three-bug chains emphasize the need to prevent unauthorized access to every component within the intricate ecosystem of connected cars. The vulnerability disclosures provide automotive manufacturers (OEMs) and Tier 1 suppliers adequate time to address the bugs and the opportunity to collaborate with the researchers who have discovered them.
Watch the video below for a quick overview of the highlights of Pwn2Own Automotive Day 2 from Tsutomu Shimizu of VicOne/Trend Micro Cybersecurity Institute.
Will there be another parade of multi-bug chains on Pwn2Own Automotive Day 3? Which team will be crowned the Master of Pwn? Stay tuned by following VicOne (LinkedIn, X, blog) and the ZDI (LinkedIn, X, blog).
With contributions from Dustin Childs of the ZDI
