Pwn2Own Automotive, the world’s first and only contest targeting vulnerabilities in technologies for connected cars, reached the finish line with a bang. With VicOne and Trend Micro’s Zero Day Initiative (ZDI) awarding a total of US$1,323,750 for the discovery of 49 unique zero-day vulnerabilities, the three-day event indeed ended firing on all cylinders.
A highly charged competition
On Pwn2Own Automotive Day 3, electric vehicle (EV) chargers took the front seat with seven out of the scheduled nine attempts targeting these devices. The first came from Computest Sector 7: The team, composed of Daan Keuper and Thijs Alkemade, used a two-bug chain to exploit the ChargePoint Home Flex, earning US$30,000 in the process.
Figure 1. Computest Sector 7 successfully executing its attack against the ChargePoint Home Flex
Image from the ZDI
Raising the ante from yesterday’s multi-bug combos, Chris Anastasio and Fabius Watson of Team Cluck unleashed a four-bug chain against the Phoenix Contact CHARX SEC-3100. While one of the bugs was designated a “collision” as it was previously known, the team still took home US$26,250.
Sina Kheirkhah, for his part, used a two-bug chain to “rickroll” the Ubiquiti Connect EV. He turned on the charger’s camera, which was normally disabled by the manufacturer, and flashed a dancing Rick Astley to seal the deal and walk away with US$30,000.
Figure 2. Sina Kheirkhah “rickrolling” the Ubiquiti Connect EV.
Image from the ZDI
The following table shows the contest results of Pwn2Own Automotive Day 3.
| Attempt | Category | Result |
|---|---|---|
| Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 targeting the ChargePoint Home Flex | Electric Vehicle Chargers | Success |
| Connor Ford of Nettitude targeting the Phoenix Contact CHARX SEC-3100 | Electric Vehicle Chargers | Failure |
| Katsuhiko Sato targeting the Pioneer DMH-WT7600NEX | In-Vehicle Infotainment | Failure |
| The Synacktiv team targeting the Sony XAV-AX5500 | In-Vehicle Infotainment | Success |
| Sina Kheirkhah targeting the Ubiquiti Connect EV Station | Electric Vehicle Chargers | Success |
| Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Phoenix Contact CHARX SEC-3100 | Electric Vehicle Chargers | Success/Collision |
| Connor Ford of Nettitude targeting the JuiceBox 40 Smart EV Charging Station | Electric Vehicle Chargers | Success |
| Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the EMPORIA EV Charger Level 2 | Electric Vehicle Chargers | Success |
| Chris Anastasio and Fabius Watson of Team Cluck targeting the Phoenix Contact CHARX SEC-3100 | Electric Vehicle Chargers | Success/Collision |
Table 1. The contest results of Pwn2Own Automotive Day 3. Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known).
While today’s roster of EV charger–targeting attempts was randomly drawn, it doesn’t diminish the growing concern over the cybersecurity of EV charging systems and their potential impacts on the entire EV charging infrastructure. Cybercriminals could use them as stepping stones to compromise other systems: other pieces of electric vehicle supply equipment (EVSE), the service cloud, and even the power grid.
The first-ever Pwn2Own Automotive Master of Pwn
Members of the prolific Synacktiv team, who already had two Tesla hacks under their belts in the competition, did not exploit any EV chargers today. But they did successfully attack the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category and added U$20,000 to their loot.
This feat completed the team’s sweep of all four Pwn2Own Automotive categories: Tesla, In-Vehicle Infotainment (IVI), Electric Vehicle Chargers, and Operating Systems. With 50 Master of Pwn points, about double the number of points of their nearest competitor, they rightfully earned the title of Master of Pwn, signifying the overall winner of the competition. They won a cool Pwn2Own jacket, a Gundam-inspired trophy, and a mind-blowing US$450,000.
Figure 3. Max Cheng (far left), VicOne’s CEO, and Dustin Childs (far right), Head of Threat Awareness for the ZDI, awarding the title of Master of Pwn to the Synacktiv team (center), represented here by David Berard, Vincent Dehors, and Thomas Bouzerar
Figure 4. The final Pwn2Own Automotive leaderboard
Watch the video below for a quick overview of the highlights of Pwn2Own Automotive Day 3 from Tsutomu Shimizu of VicOne/Trend Micro Cybersecurity Institute.
And that’s a wrap for Pwn2Own Automotive 2024! VicOne is proud to have hosted the inaugural edition of Pwn2Own Automotive with the ZDI. This event not only showcases and rewards the expertise of ethical hackers, but also provides a platform for researchers and industry leaders to collaborate — ensuring a more resilient and robust automotive cybersecurity amid a rapidly evolving threat landscape.
Follow VicOne (LinkedIn, X, blog) for more Pwn2Own Automotive updates. To read more research on vulnerabilities in connected vehicles and learn best security practices, visit our resource center.
With contributions from Dustin Childs of the ZDI
