HomeRisk ManagementsPwn2Own Competition Uncovers Numerous Zero-Day Vulnerabilities

Pwn2Own Competition Uncovers Numerous Zero-Day Vulnerabilities

Published on

spot_img

The automotive edition of the Zero Day Initiative (ZDI)’s Pwn2Own contest is currently taking place in Tokyo, with top ethical hackers from around the world showcasing their skills. The contest, which runs from January 24-26, has already resulted in the discovery of close to 40 zero-day vulnerabilities in Tesla and other automotive products.

The ZDI, known as the world’s largest vendor-agnostic bug bounty program, aims to incentivize ethical hackers to discover and responsibly disclose vulnerabilities in products in order to improve digital security.

On the first day of the competition, a total of 24 zero-day vulnerabilities were found, including a three-bug chain against the Tesla Modem, earning the French Synacktiv Team $100,000. The same team also earned rewards for discovering vulnerabilities in the Ubiquiti Connect EV Station and the JuiceBox 40 Smart EV Charging Station.

The UK’s NCC Group also made significant contributions to the competition, earning rewards for demonstrating vulnerabilities in the Phoenix Contact CHARX SEC-3100 charging controller and the Pioneer DMH-WT7600NEX digital receiver.

As the competition continued into its second day, an additional 15 zero-day vulnerabilities were discovered and exploited in various automotive products. Synacktiv once again demonstrated their prowess by exploiting the Tesla Infotainment System and the Automotive Grade Linux, earning significant rewards for their discoveries.

NCC Group continued to be actively involved in the competition, using a two-bug chain to exploit the Alpine Halo9 iLX-F509 media receiver.

At the time of writing, the total prize money handed out so far has exceeded $1 million. Vendors will have 90 days to address the vulnerabilities discovered in the competition before the details go public.

In a previous warning issued in 2022, the Trend Micro-owned initiative highlighted concerns about poor quality vendor patching and confusing advisories, which were posing unnecessary risk to customers. The initiative argued that these factors were leaving network defenders unable to accurately gauge their exposure to risk and were increasing the likelihood of faulty or incomplete patches. To address these concerns, the initiative revised its disclosure policy to require fixes within a range of 90 to 30 days, depending on the criticality of the vulnerabilities.

The Pwn2Own Automotive competition is set to conclude tomorrow, with the ethical hackers continuing to uncover and demonstrate vulnerabilities in automotive products in the pursuit of making the digital world a safer place.

Source link

Latest articles

Selecting Secure and Verifiable Technologies

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) recently released a comprehensive...

CISA Alert: Exploitation of Vulnerabilities in Zyxel, ProjectSend, and CyberPanel Detected

The recent addition of multiple security flaws affecting products from Zyxel, North Grid Proself,...

Indian Bank Launches Campaign to Address Growing Cybercrime Concerns

Indian Bank has recently launched a new campaign, Khabar Nahi, Khabardar Bano, with the...

Top 8 cybersecurity threats faced by manufacturers

In the current landscape of cybersecurity threats, regulatory frameworks are stepping up to designate...

More like this

Selecting Secure and Verifiable Technologies

The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) recently released a comprehensive...

CISA Alert: Exploitation of Vulnerabilities in Zyxel, ProjectSend, and CyberPanel Detected

The recent addition of multiple security flaws affecting products from Zyxel, North Grid Proself,...

Indian Bank Launches Campaign to Address Growing Cybercrime Concerns

Indian Bank has recently launched a new campaign, Khabar Nahi, Khabardar Bano, with the...