VicOne, a provider of automotive cybersecurity solutions, recently hosted Pwn2Own Automotive 2024 at Automotive World in Tokyo in January to explore and address cybersecurity challenges in the automotive industry. The event was dedicated to discovering and fixing digital security vulnerabilities of connected cars to protect the cybersecurity of vehicles.
Specifically, 17 white hat hacker teams and individuals from nine countries participated in a total of over 50 entries both remotely and onsite in four categories: Tesla, In-Vehicle Infotainment (IVI), EV Chargers, and Operating Systems.
The multi-national event served to connect and engage the automotive industry with the cybersecurity industry. Hacking events like this are crucial to prepare the global automotive industry for the evolving threat landscape.
For example, the ongoing onsite competition also featured attack scenarios that emphasized the importance of discovering cybersecurity vulnerabilities and the potential threats that can arise if vulnerabilities are not addressed promptly.
Early detection of vulnerabilities and sharing them with vendors for their countermeasures is important, first and foremost, from the standpoint of safety and cost. By uncovering vulnerabilities in their own products, participating companies were able to gain insights into how they can develop more secure and reliable products.
“This was a very successful demonstration that we are at the forefront of discovering zero-day vulnerabilities in the automotive industry and protecting against cyber-attacks, thanks to the dedication and expertise of our participants and the great work of our own researchers,” said Max Cheng, CEO of VicOne. “We would like to thank everyone who attended this event and shared the spirit of security research and innovation.”
The participants competed for cash and prizes worth US $1,323,750. A total of 49 unknown security vulnerabilities (zero-day vulnerabilities) were discovered by the participants over the three days.
To win, participants had to take advantage of newly discovered vulnerabilities to attack target systems and devices and execute arbitrary instructions. The event was not only about prestige and competition between the best white hat hackers on the scene, but also about collaboration within the automotive industry and external IT cybersecurity experts to make the entire industry safer.
VicOne’s parent company Trend Micro co-hosted the event through the Zero Day initiative (ZDI), a vendor-agnostic bug bounty program. Electric vehicle manufacturer Tesla, as the main sponsor of the event, put its own products to the test including a modem, infotainment system, and Model Y vehicle. Individual hackers and hacking teams from countries including the USA, Vietnam, Japan, the UK, Hungary, the Netherlands, France, and Germany took part.
The winning team Synacktiv from France came away with a total profit of US $450,000, and now holds the title of “Master of Pwn.” With a total profit of US $177,500, the German fuzzware.io team took second place. The hackers from fuzzware.io targeted the Sony XAV-AX5500 and the Alpine Halo9 iLX-F509 in the IVI category, as well as the ChargePoint Home Flex, the Autel MaxiCharger AC Wallbox Commercial, the EMPORIA EV Charger Level 2 and the Phoenix Contact CHARX SEC-3100 in the Chargers for Electric Vehicles category.
With no less than six hacking attempts, they were among the most diligent hackathon participants. Team Tortuga checked the ChargePoint Home Flex in the category chargers for electric vehicles for possible security vulnerabilities.
“With the constant innovations in the automotive industry, the car is not only a traditional means of transportation but also a completely new mobility and a new living space,” said Cheng. “In an era where our lives and mobility are becoming more closely connected through the Internet, cybersecurity is of paramount importance for people’s economic and physical safety, which is why it is essential to identify and address security vulnerabilities in systems before malicious attackers do. Pwn2Own Automotive 2024 is one of VicOne’s efforts to spread its long-standing security expertise to the automotive industry.”
The zero-day vulnerabilities discovered through this competition will be reported to the respective vendors for further action to fix them. Details of the vulnerabilities will be announced 120 days or later after the conclusion of the competition based on their status. The event revealed the very latest security research and hacking approaches and, therefore, has at least indirect relevance for planned government and industry security measures and regulations.
VicOne will continue to host this event, and I hope to see everyone again at 2025 Pwn2Own Automotive Tokyo.
You may also like:
Filed Under: Technology News