May 24, 2022
With the end of Pwn2Own Vancouver 2022, we look into the results of the automotive category and share security insights.
Last week, Pwn2Own Vancouver 2022 came to a close, marking its fifteenth anniversary. Pwn2Own is a biannual hacking conference where researchers compete to expose weaknesses and vulnerabilities in popular products. Researchers are invited to demonstrate their skills and to win prizes that include the very devices they successfully hacked. Participating brands, meanwhile, benefit from the disclosure of vulnerabilities and the opportunity to address weaknesses in their products.
This year, 17 contestants attempted to exploit 21 targets in the three-day event. Among the highlights were two hacking attempts on Tesla Model 3 components.
David Berard and Vincent Dehors, researchers from Synacktiv, conducted the first attempt on Tesla. They were able to demonstrate two unique bugs in a sandbox escape exploit on Tesla Model 3’s infotainment system (IVI). This success garnered them US$75,000 in prize money.
In the second attempt @Jedar_LZ targeted Tesla Model 3’s diagnostic Ethernet using root persistence. Unfortunately, the hack was not completed within the allotted time. While unsuccessful, Zero Day Initiative (ZDI) acquired the exploit and disclosed it to Tesla for patching.
Threats to connected cars
In 2019, the automotive category became part of Pwn2Own as a result of a partnership with Tesla. Events like Pwn2Own, alongside cybersecurity research on connected cars, play an important role in giving us clues about the possible threats that the automotive industry faces. This allows us to anticipate what measures are needed to secure future connected cars.
Threats to the in-vehicle infotainment system (Threats), in particular, are significant because this component can be targeted remotely and offers potential attackers a way to use established tools to conduct attacks. While IVIs run slightly modified operating systems that are close to that of mobile phones or desktops, this also makes exploiting existing vulnerabilities relatively easy for attackers as opposed to other highly specialized real-time operating systems used in electronic control units (ECUs).
It is also worth pointing out that an IVI is still difficult to hack, which is why successfully doing so in the Pwn2Own challenge is proof of skill. Additionally, there are already existing exploits used in the gray market for unlocking expensive IVI features — further proof that while automotive manufacturers (OEMs), in cooperation with Tier 1 vendors, are improving the security of their products, cybercriminals are also evolving their tools.
As for consequences, a successful attack on the IVI can allow a potential threat actor further control over a vehicle’s critical subsystems like its breaks or steering. A successful attack can therefore lead to unforeseeable damages, endanger safety and privacy, as well as lead to financial loss should the IVI unit become locked or erased.
Thankfully, there have yet to be reports of real-world attacks on connected cars. The threats that we know have been disclosed by security researcher such as those who join Pwn2Own. But this should not encourage complacency, as continuing research shows that risks persist and can still deal a significant impact on the entire automotive industry, not to mention a company’s operation and reputation.
Securing the connected car
Now more than ever, automotive cybersecurity is imperative. Standards such as the UN Regulation No. 155 (UN R155) and the ISO/SAE 21424 are testaments to this, as they espouse the presence of cybersecurity in connected cars throughout their life cycle. This holistic approach should in turn decrease the number of unaddressed vulnerabilities to a minimum.
Based on research and experiences from the IT world, in-vehicle protection, multilayered security with comprehensive coverage of a connected car’s ecosystem, and a vehicle security operations center (VSOC) are essential to the top-of-mind solution that is best suited for securing connected cars.
To anticipate and adequately prepare for similar hacks becoming real-world attacks, OEMs and Tier 1 suppliers can take advantage of VicOne’s unified and multilayered solutions.
Detection, prevention, and early warning
Our VSOC DR platform continuously monitors the vehicles and its ECU. In the Pwn2Own hack, researchers were able to crash the IVI by inducing a double free error. We can give OEMs the visibility they need so that they can take the appropriate measures to prevent such ECU crashes from happening. Using anomaly detection to trigger an alert that includes the context of the event and the timeline information on our dashboard can allow OEMs to identify potential issues before there are consequences.
With our in-vehicle IDPS, behavior monitoring detects sandbox escape behavior while system exploit prevention blocks privilege escalation.
For critical vulnerabilities, our Virtual Patch can rapidly mitigate these vulnerabilities and buy OEMs or ECU suppliers more time for to fix or patch the root issue.
OEMs must also be highly adaptive and stay abreast of ever-evolving cyberthreats and can consider these solutions:
- Vulnerability Management Plus. This tool can help OEMs better understand the software risks of your vehicle ECU by finding related vulnerabilities, malware, and backdoor threats.
- Pen Testing. It can help OEMs monitor if your system can be exploited.
Designed to support large-scale connected car deployments, VicOne supports the cybersecurity of a vehicle throughout its life cycle.
Leveraging over 30 years of cybersecurity experience from Trend Micro and the expertise of more than 10,000 independent researchers from ZDI, VicOne’s cybersecurity solutions use the latest technologies like machine learning, behavior monitoring, and detection and response to help secure connected cars.
Learn more about our solutions by visiting our home page.