At Pwn2Own 2024, researchers uncovered a wide range of vulnerabilities in electric vehicle chargers, Tesla components, and operating systems. The event had garnered attention last year for targeting cars as an attack surface, but this year’s event proved to be even more enlightening.
The first day of the competition saw the demonstration of 24 unique zero-day vulnerabilities, resulting in $722,500 in winnings for contestants. Day two saw an additional 20 new exploits, and the final day promised nine more, bringing the total to 53 zero-day vulnerabilities uncovered over the course of the event.
Dustin Childs, head of threat awareness for Trend Micro’s Zero Day Initiative (ZDI), noted that vehicles are becoming increasingly complex systems, with a lack of external scrutiny leading to potential security issues. This lack of research into the security of vehicle systems has raised concerns about the overall safety of modern cars.
Last year, a team from Synacktiv made headlines by successfully hacking into a Tesla Model 3 in under two minutes. This year, the team returned to demonstrate exploits of the Ubiquiti Connect and JuiceBox 40 Smart EV charging stations, the ChargePoint Home Flex, and the Automotive Grade Linux. The most notable achievements included a three-bug exploit chain against Tesla’s modem and a two-bug chain against its infotainment system, each earning a $100,000 cash prize.
According to the rules of the event, vendors have 90 days to address security flaws before they are publicly disclosed. The Synacktiv team provided a high-level overview of the attacks, revealing that the vulnerabilities allowed unauthorized access to the Tesla’s modem and infotainment system, providing control over components such as headlights, windshield wipers, and access to the trunk and doors.
Renaud Feil, CEO of Synacktiv, emphasized that while Tesla cars have a vast attack surface due to their IT-focused design, they also have a strong security team that pays attention to security measures. This duality presents a unique challenge for those looking to exploit vulnerabilities in Tesla vehicles.
Ken Tindell, chief technology officer of Canis Automotive Labs, noted the growing attack surface of vehicles with the addition of wireless connectivity and remote access capabilities. He highlighted the challenge of managing IT equipment alongside safety-critical machinery, such as brakes and headlights, in a way that prevents vulnerabilities from affecting the overall safety of the vehicle.
Tindell suggested two potential approaches to vehicle cybersecurity, including leveraging phone-based systems like Apple CarPlay and Android Auto, as well as licensing operating systems from large companies like Google. However, the long-term effectiveness of these solutions remains a concern, as they rely on the ability of third-party providers to consistently deliver security updates.
Overall, Pwn2Own 2024 emphasized the need for enhanced cybersecurity measures in the automotive industry. Both Feil and Tindell stressed the importance of investing in cybersecurity and conducting thorough audits to identify and address potential vulnerabilities. They also suggested that regulatory intervention may be necessary to ensure that manufacturers prioritize cybersecurity in their vehicles, given the significant impact of security breaches on public safety.