DALLAS and TOKYO, January 31, 2024 —VicOne hosted “Pwn2Own Automotive 2024“, its ethical hacking event exclusively for the automotive sector, at Automotive World in Tokyo (January 24-26, 2024) to explore and address cybersecurity challenges in the automotive industry.
Pwn2Own Automotive 2024 is a hackathon where hackers are invited to discover cyber vulnerabilities in connected vehicles. The hackathon is being organized by VicOne and ZDI, and it aims to identify potential threat points in modern vehicles that are connected to the internet.
The event was dedicated to discovering and fixing digital security vulnerabilities of connected cars to protect the cybersecurity of vehicles. Specifically, 17 white hat hacker team and individuals from nine countries participated in a total of over 50 entries both remotely and on-site in four categories:
- Tesla
- In-Vehicle Infotainment (IVI)
- EV Chargers
- Operating System
The participants competed for cash and prizes worth US $1,323,750. A total of 49 unknown security vulnerabilities (zero-day vulnerabilities) were discovered by the participants over the three days. To win, participants had to take advantage of newly discovered vulnerabilities to attack target systems and devices and execute arbitrary instructions. The event was not only about prestige and competition between the best white hat hackers on the scene. It was also about collaboration within the automotive industry and with external IT cybersecurity experts to make the entire industry safer.
VicOne’s parent company, global cybersecurity leader Trend MicroTM, co-hosted the event through the Zero Day initiative™ (ZDI), the world’s largest vendor-agnostic bug bounty program. As the main sponsor of the event, Tesla, an electric vehicle manufacturer, put its own products to the test. This included a modem, infotainment system, and Model Y vehicle. Individual hackers and hacking teams from countries including the USA, Vietnam, Japan, the UK, Hungary, the Netherlands, France, and Germany took part.
The winning team Synacktiv from France came away with a total profit of US $450,000, and now holds the title of “Master of Pwn.” With a total profit of US $177,500, the German fuzzware.io team took second place. The hackers from fuzzware.io targeted the Sony XAV-AX5500 and the Alpine Halo9 iLX-F509 in the In-Vehicle Infotainment (IVI) category. They also focused on the ChargePoint Home Flex, the Autel MaxiCharger AC Wallbox Commercial, the EMPORIA EV Charger Level 2, and the Phoenix Contact CHARX SEC-3100 in the Chargers for Electric Vehicles category. With no less than six hacking attempts, they were among the most diligent hackathon participants. Team Tortuga checked the ChargePoint Home Flex in the category chargers for electric vehicles for possible security vulnerabilities.
The multinational event also served to connect and engage the automotive industry with the cybersecurity industry. Hacking events like this are crucial to prepare the global automotive industry for the evolving threat landscape. For example, the ongoing on-site competition also featured attack scenarios. These scenarios emphasized the importance of discovering cybersecurity vulnerabilities. The presentation also emphasized potential threats that may arise if we do not promptly address vulnerabilities. Early detection of vulnerabilities and sharing them with vendors for their countermeasures is important, first and foremost, from the standpoint of safety and cost. By uncovering vulnerabilities in their own products, participating companies were able to gain insights into how they can develop more secure and reliable products.
This competition will report the zero-day vulnerabilities to the respective vendors for further action to fix them. The competition will announce details of the vulnerabilities 120 days or later after concluding, based on their status. Moreover, the event revealed the very latest security research and hacking approaches. Therefore, it has at least indirect relevance for planned government and industry security measures and regulations.
“With the constant innovations in the automotive industry, the car is not only a traditional means of transportation. It is also a completely new mobility and a new living space,” said Max Cheng, CEO of VicOne. “In an era where our lives and mobility are becoming more closely connected through the Internet, cybersecurity is crucial. It is of paramount importance for people’s economic and physical safety. This is why it is essential to identify and address security vulnerabilities in systems before malicious attackers do. Pwn2Own Automotive 2024 is one of VicOne’s efforts to spread its long-standing security expertise to the automotive industry.”
Cheng continued, “We are also delighted that the number of entries far exceeded our expectations. This was a very successful demonstration, showcasing our leadership in discovering zero-day vulnerabilities in the automotive industry. We are effectively protecting against cyber-attacks, thanks to the dedication and expertise of our participants. The great work of our own researchers has played a crucial role in our success. We would like to thank everyone who attended this event and shared the spirit of security research and innovation. Moreover, this is not a one-time event. VicOne will continue to host this event, and I hope to see everyone again at 2025 Pwn2Own Automotive Tokyo.”
“Since 2007, Pwn2Own has been the world’s largest hacking contest. It rewards top researchers with the ability to penetrate the most challenging attack surface and discover zero-day vulnerabilities. Previous competitions have covered a wide range of areas. This year’s competition was the first Pwn2Own to focus on automobiles. The discovery of 49 new unknown vulnerabilities is significant. Moreover, it presents an opportunity to bring together a community of automotive vendors and world-class security researchers. They can share the latest and most valuable insights into automotive cybersecurity, which is critical for the global automotive industry’s ability to prepare for evolving threats.” explained Brian Gorenc, VP of Threat Research at VicOne’s parent company Trend Micro and responsible for the ZDI program.
News related to VicOne –
