The automotive edition of the Zero Day Initiative (ZDI)’s Pwn2Own contest is currently taking place in Tokyo, with top ethical hackers from around the world showcasing their skills. The contest, which runs from January 24-26, has already resulted in the discovery of close to 40 zero-day vulnerabilities in Tesla and other automotive products.
The ZDI, known as the world’s largest vendor-agnostic bug bounty program, aims to incentivize ethical hackers to discover and responsibly disclose vulnerabilities in products in order to improve digital security.
On the first day of the competition, a total of 24 zero-day vulnerabilities were found, including a three-bug chain against the Tesla Modem, earning the French Synacktiv Team $100,000. The same team also earned rewards for discovering vulnerabilities in the Ubiquiti Connect EV Station and the JuiceBox 40 Smart EV Charging Station.
The UK’s NCC Group also made significant contributions to the competition, earning rewards for demonstrating vulnerabilities in the Phoenix Contact CHARX SEC-3100 charging controller and the Pioneer DMH-WT7600NEX digital receiver.
As the competition continued into its second day, an additional 15 zero-day vulnerabilities were discovered and exploited in various automotive products. Synacktiv once again demonstrated their prowess by exploiting the Tesla Infotainment System and the Automotive Grade Linux, earning significant rewards for their discoveries.
NCC Group continued to be actively involved in the competition, using a two-bug chain to exploit the Alpine Halo9 iLX-F509 media receiver.
At the time of writing, the total prize money handed out so far has exceeded $1 million. Vendors will have 90 days to address the vulnerabilities discovered in the competition before the details go public.
In a previous warning issued in 2022, the Trend Micro-owned initiative highlighted concerns about poor quality vendor patching and confusing advisories, which were posing unnecessary risk to customers. The initiative argued that these factors were leaving network defenders unable to accurately gauge their exposure to risk and were increasing the likelihood of faulty or incomplete patches. To address these concerns, the initiative revised its disclosure policy to require fixes within a range of 90 to 30 days, depending on the criticality of the vulnerabilities.
The Pwn2Own Automotive competition is set to conclude tomorrow, with the ethical hackers continuing to uncover and demonstrate vulnerabilities in automotive products in the pursuit of making the digital world a safer place.