Trend Micro’s Zero Day Initiative (ZDI) recently hosted its inaugural automotive-focused Pwn2Own event in Tokyo, where a total of 49 vehicle-related zero day vulnerabilities were discovered, resulting in a payout of over $1.3 million for the researchers who uncovered them.
Researchers from French security outfit Synacktiv emerged as the top winners of the event, taking home a hefty sum of $450,000 after successfully demonstrating six exploits. One of their notable achievements involved gaining root access to a Tesla Modem, while another exploit exposed a sandbox escape in Tesla’s infotainment system.
The three-day event saw a wide range of targets, including after-market infotainment systems and a troubling series of successful hacks on EV chargers. Five separate $60,000 bounties were awarded for successful attacks on EV chargers manufactured by various companies.
In addition to the exploits on Tesla’s systems, multiple attempts were made to target Automotive Grade Linux, a platform used as the backbone of infotainment systems by several leading automotive OEMs. Unfortunately, only one of the attempts was successful, once again achieved by the Synacktiv team.
Due to the nature of the newly reported zero day vulnerabilities exploited at the event, little information was disclosed about the specifics of the flaws.
Looking ahead, ZDI’s next scheduled event will be its annual Pwn2Own competition in Vancouver, where hackers will demonstrate their skills in exploiting vulnerabilities in cloud-native and container software.
In other notable developments, networking giant Cisco recently reported a critical vulnerability in several of its Unified Communications and Contact Center products. The vulnerability, labeled CVE-2024-20253, possesses a CVSS score of 9.9 and could potentially allow an attacker to execute arbitrary commands on the underlying OS. While Cisco UCM software is not intended to be exposed to the internet, the company has urged users to install the necessary patches to mitigate any potential risks.
Furthermore, Apple has identified a zero day vulnerability in WebKit, labelled as CVE-2024-23222, which is currently under active exploit. The issue has been addressed in the latest updates to Apple’s various operating systems and Safari, prompting users to patch their systems as soon as possible.
The US Securities and Exchange Commission (SEC) also made headlines after admitting that its Twitter account was hacked through a SIM swap attack, providing the unauthorized party control of the SEC cell phone number. The incident led to the premature release of news involving the SEC’s stance on Bitcoin exchange-traded funds.
Additionally, researchers have discovered a new macOS malware family hidden in previously cracked apps, which includes a backdoor capable of executing arbitrary commands on infected machines and stealing crypto wallet seed phrases.
Overall, these incidents serve as a reminder of the ongoing importance of maintaining robust cybersecurity practices across various sectors, from automotive technology to financial regulation and beyond. As cyber threats continue to evolve, organizations and individuals must remain vigilant in their efforts to safeguard their systems and data against potential exploits and attacks.