Pwn2Own Automotive_Day 1直擊:針對特斯拉的三個連續的漏洞攻擊鏈(3-Bug Chain)、遠端駭入演示、以及其他亮點

2024年1月24日
VicOne
Pwn2Own Automotive_Day 1直擊:針對特斯拉的三個連續的漏洞攻擊鏈(3-Bug Chain)、遠端駭入演示、以及其他亮點

Pwn2Own Automotive, the first-of-its-kind contest being driven by VicOne with Trend Micro’s Zero Day Initiative (ZDI), got off to a great start today at the Automotive World conference in Tokyo Big Sight. The massive hall was brimming with excitement as different on- and off-site teams, considered among the brightest within the ethical hacking community, prepared to make their marks during the three-day event.

First of many firsts

On Day 1 of Pwn2Own Automotive, 22 attempts were made, including some so-called “Pwn2Own After Dark” attempts, which occurred after the Automotive World’s venue had closed. In total, US$722,500 in prizes was awarded for 24 unique exploits.

Sina Kheirkhah made the first successful attempt, earning US$60,000 for executing an attack against the ChargePoint Home Flex in the Electric Vehicle Chargers category.

Figure 1. Sina Kheirkha successfully executing his attack against the ChargePoint Home Flex

Figure 1. Sina Kheirkha successfully executing his attack against the ChargePoint Home Flex
Image from the ZDI

Another highlight was the contest’s first remote or off-site attempt. RET2 Systems successfully targeted the Phoenix Contact CHARX SEC-3100 in the Electric Vehicle Chargers category and earned US$60,000 in the process.

The biggest prize of the day — a whopping US$100,000 — was awarded to the Synacktiv team, for successfully executing a three-bug chain against the Tesla modem. This is the same Pwn2Own Vancouver 2023 team that used a two-bug chain to demonstrate a remote attack on a Tesla vehicle. Synacktiv also successfully demonstrated four other attack scenarios today, accumulating almost US$300,000 in cash rewards.

Figure 2. The Synacktiv team’s three-bug chain attack against the Tesla modem

Figure 2. The Synacktiv team executing its three-bug chain against the Tesla modem

The following table shows the complete contest results of Pwn2Own Automotive Day 1.

AttemptCategoryResult
Sina Kheirkhah targeting the ChargePoint Home FlexElectric Vehicle ChargersSuccess
Rob Blakely from Cromulence targeting Automotive Grade LinuxOperating SystemsCollision
The PCAutomotive Team targeting the Alpine Halo9 iLX-F509In-Vehicle InfotainmentSuccess
Tobias Scharnowski and Felix Buchmann of fuzzware.io targeting the Sony XAV-AX5500In-Vehicle InfotainmentSuccess
The Synacktiv Team targeting the Tesla Modem with a three-bug chainTeslaSuccess
Katsuhiko Sato targeting the Alpine Halo9 iLX-F509 In-Vehicle InfotainmentSuccess
Sina Kheirkhah targeting the Sony XAV-AX5500In-Vehicle InfotainmentFailure
NCC Group EDG targeting the Pioneer DMH-WT7600NEX with a three-bug chainIn-Vehicle InfotainmentSuccess
The Synacktiv Team targeting the Ubiquiti Connect EV Station with a two-bug chainElectric Vehicle ChargersSuccess
RET2 Systems targeting the Phoenix Contact CHARX SEC-3100 with a two-bug chainElectric Vehicle ChargersSuccess
Vudq16 and Q5CA from u0K++  targeting the Alpine Halo9 iLX-F509In-Vehicle InfotainmentSuccess
The Midnight Blue/PHP Hooligans team targeting the Sony XAV-AX5500In-Vehicle InfotainmentSuccess
The Synacktiv Team targeting the ChargePoint Home Flex with a two-bug chainElectric Vehicle ChargersCollision
Sina Kheirkhah targeting the Phoenix Contact CHARX SEC-3100Electric Vehicle ChargersFailure
The Synacktiv Team targeting the JuiceBox 40 Smart EV Charging Station Electric Vehicle Chargers category with a two-bug chainElectric Vehicle ChargersSuccess
Gary Li Wang targeting the Sony XAV-AX5500In-Vehicle InfotainmentSuccess
Connor Ford of Nettitude targeting the ChargePoint Home Flex with a two-bug chainElectric Vehicle ChargersCollision
NCC Group EDG targeting the Phoenix Contact CHARX SEC-310Electric Vehicle ChargersSuccess
Sina Kheirkhah targeting the JuiceBox 40 Smart EV Charging StationElectric Vehicle ChargersFailure
The Synacktiv Team targeting the Autel MaxiCharger AC Wallbox Commercial with a two-bug chainElectric Vehicle ChargersSuccess
Chris Anastasio and Fabius Watson of Team Cluck targeting the ChargePoint Home Flex in the Electric Vehicle Chargers categoryElectric Vehicle ChargersCollision
Sina Kheirkhah targeting the Pioneer DMH-WT7600NEXIn-Vehicle InfotainmentFailure

Table 1. The complete contest results of Pwn2Own Automotive Day 1. Note: An attempt is designated a “collision” if it involves a non-unique vulnerability (discovered by another researcher or previously known).

Live demos: EV charger vulnerabilities and a remote API attack

As the contest was raging, researchers from the ZDI and VicOne took the floor to demonstrate three intriguing attack scenarios.

Jonathan Andersson, Thanos Kaliyanakis, and Todd Manning from the ZDI walked the rapt audience through their discovery of two EV charger vulnerabilities.

Figure 3. Researchers from the ZDI demonstrating two EV charger vulnerabilities

Figure 3. Researchers from the ZDI demonstrating two EV charger vulnerabilities

Shin Li and Omar Yang from VicOne, on the other hand, demoed a remote API attack using compromised account credentials on a car located halfway across the world.

Figure 4. Researchers from VicOne demonstrating a remote API attack scenario

Figure 4. Researchers from VicOne demonstrating a remote API attack scenario

In keeping with the spirit of exploration and innovation of Pwn2Own Automotive, these demos underscored the indispensable role of automotive vulnerability discovery and the importance of robust cybersecurity protection, given the real-world impact of unaddressed flaws.

Watch the video below for a quick overview of the highlights of the kickoff of Pwn2Own Automotive from Tsutomu Shimizu of VicOne/Trend Micro Cybersecurity Institute.

Stay tuned for Day 2 of Pwn2Own Automotive by following VicOne (LinkedIn, X, blog) and the ZDI (LinkedIn, X, blog).

With contributions from Dustin Childs of the ZDI

VicOne新聞與觀點

深入瞭解汽車網路安全

閱讀最新報告

馬上體驗更先進的汽車網路安全防護

預約專人展示