Pwn2Own Automotive Day 3: EV Chargers Take the Front Seat and the Contest Crowns Its First Master of Pwn

January 26, 2024
VicOne
Pwn2Own Automotive Day 3: EV Chargers Take the Front Seat and the Contest Crowns Its First Master of Pwn

Pwn2Own Automotive, the world’s first and only contest targeting vulnerabilities in technologies for connected cars, reached the finish line with a bang. With VicOne and Trend Micro’s Zero Day Initiative (ZDI) awarding a total of US$1,323,750 for the discovery of 49 unique zero-day vulnerabilities, the three-day event indeed ended firing on all cylinders.

A highly charged competition

On Pwn2Own Automotive Day 3, electric vehicle (EV) chargers took the front seat with seven out of the scheduled nine attempts targeting these devices. The first came from Computest Sector 7: The team, composed of Daan Keuper and Thijs Alkemade, used a two-bug chain to exploit the ChargePoint Home Flex, earning US$30,000 in the process.

Computest Sector 7 successfully executing its attack against the ChargePoint Home Flex

Figure 1. Computest Sector 7 successfully executing its attack against the ChargePoint Home Flex
Image from the ZDI

Raising the ante from yesterday’s multi-bug combos, Chris Anastasio and Fabius Watson of Team Cluck unleashed a four-bug chain against the Phoenix Contact CHARX SEC-3100. While one of the bugs was designated a “collision” as it was previously known, the team still took home US$26,250.

Sina Kheirkhah, for his part, used a two-bug chain to “rickroll” the Ubiquiti Connect EV. He turned on the charger’s camera, which was normally disabled by the manufacturer, and flashed a dancing Rick Astley to seal the deal and walk away with US$30,000.

Sina Kheirkhah “rickrolling” the Ubiquiti Connect EV.

Figure 2. Sina Kheirkhah “rickrolling” the Ubiquiti Connect EV.
Image from the ZDI

The following table shows the contest results of Pwn2Own Automotive Day 3.

AttemptCategoryResult
Daan Keuper, Thijs Alkemade, and Khaled Nassar from Computest Sector 7 targeting the ChargePoint Home FlexElectric Vehicle ChargersSuccess
Connor Ford of Nettitude targeting the Phoenix Contact CHARX SEC-3100Electric Vehicle ChargersFailure
Katsuhiko Sato targeting the Pioneer DMH-WT7600NEXIn-Vehicle InfotainmentFailure
The Synacktiv team targeting the Sony XAV-AX5500In-Vehicle InfotainmentSuccess
Sina Kheirkhah targeting the Ubiquiti Connect EV StationElectric Vehicle ChargersSuccess
Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Phoenix Contact CHARX SEC-3100Electric Vehicle ChargersSuccess/Collision
Connor Ford of Nettitude targeting the JuiceBox 40 Smart EV Charging Station Electric Vehicle ChargersSuccess
Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the EMPORIA EV Charger Level 2Electric Vehicle ChargersSuccess
Chris Anastasio and Fabius Watson of Team Cluck targeting the Phoenix Contact CHARX SEC-3100Electric Vehicle ChargersSuccess/Collision

Table 1. The contest results of Pwn2Own Automotive Day 3. Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known).

While today’s roster of EV chargertargeting attempts was randomly drawn, it doesn’t diminish the growing concern over the cybersecurity of EV charging systems and their potential impacts on the entire EV charging infrastructure. Cybercriminals could use them as stepping stones to compromise other systems: other pieces of electric vehicle supply equipment (EVSE), the service cloud, and even the power grid.

The first-ever Pwn2Own Automotive Master of Pwn

Members of the prolific Synacktiv team, who already had two Tesla hacks under their belts in the competition, did not exploit any EV chargers today. But they did successfully attack the Sony XAV-AX5500 in the In-Vehicle Infotainment (IVI) category and added U$20,000 to their loot.

This feat completed the team’s sweep of all four Pwn2Own Automotive categories: Tesla, In-Vehicle Infotainment (IVI), Electric Vehicle Chargers, and Operating Systems. With 50 Master of Pwn points, about double the number of points of their nearest competitor, they rightfully earned the title of Master of Pwn, signifying the overall winner of the competition. They won a cool Pwn2Own jacket, a Gundam-inspired trophy, and a mind-blowing US$450,000.

Max Cheng (far left), VicOne’s CEO, and Dustin Childs (far right), Head of Threat Awareness for the ZDI, awarding the title of Master of Pwn to the Synacktiv team (center), represented here by David Berard, Vincent Dehors, and Thomas Bouzerar.

Figure 3. Max Cheng (far left), VicOne’s CEO, and Dustin Childs (far right), Head of Threat Awareness for the ZDI, awarding the title of Master of Pwn to the Synacktiv team (center), represented here by David Berard, Vincent Dehors, and Thomas Bouzerar

The final Pwn2Own Automotive leaderboard

Figure 4. The final Pwn2Own Automotive leaderboard

Watch the video below for a quick overview of the highlights of Pwn2Own Automotive Day 3 from Tsutomu Shimizu of VicOne/Trend Micro Cybersecurity Institute.

And that’s a wrap for Pwn2Own Automotive 2024! VicOne is proud to have hosted the inaugural edition of Pwn2Own Automotive with the ZDI. This event not only showcases and rewards the expertise of ethical hackers, but also provides a platform for researchers and industry leaders to collaborate — ensuring a more resilient and robust automotive cybersecurity amid a rapidly evolving threat landscape.

Follow VicOne (LinkedIn, X, blog) for more Pwn2Own Automotive updates. To read more research on vulnerabilities in connected vehicles and learn best security practices, visit our resource center.

With contributions from Dustin Childs of the ZDI

Our News and Views

Gain Insights Into Automotive Cybersecurity
Visit Our Blog

Accelerate Your Automotive Cybersecurity Journey Today

Contact Us