The first-ever Pwn2Own Automotive hacking event saw multiple teams of elite hackers descend on Tokyo during the Automotive World conference. With more than $1 million in bounty payments on offer, the competition was fierce. The event, organized by the Trend Micro Zero-Day Initiative, focused solely on the automotive sector and involved the best hacking teams from around the world.
The concept of the Pwn2Own Automotive event is similar to other hacking events organized by the Zero-Day Initiative. Here, hacking teams from across the globe compete against each other using previously unknown ‘zero-day’ exploits to gain access to pre-determined tech targets. However, in the case of Pwn2Own Automotive, the sole focus was on electric vehicles and the systems and services associated with them.
The bounty-hunting hackers and security researchers were given strict time limits to successfully hack specific targets. Successful demonstrations of newly discovered vulnerabilities, known as zero-days, were rewarded with substantial cash payments. The event saw the successful exploitation of 49 unique zero-days, amounting to bounties worth an astonishing $1,323,750 over the course of three days.
The highlight of the event was the successful hacking of Tesla vehicles by the same group of hackers, Team Synacktiv. The hackers managed to exploit vulnerabilities in the Tesla Modem and the Tesla Infotainment System, earning a total of $450,000 in cash prizes. Furthermore, Team Synacktiv also compromised other targets, including smart EV charging stations, automotive-grade Linux, and infotainment systems, further solidifying their victory.
Despite the alarming nature of these hacks, they serve a greater purpose. Every vulnerability that the hackers exploit is immediately brought to the attention of the respective vendors to ensure that the issues are fixed. This allows the vendors to release patches before any technical information is disclosed to the public, preventing less ethical actors from exploiting these vulnerabilities. It is important to note that none of the zero-days exploited during the event were sold or redistributed by the Zero-Day Initiative.
In light of these events, Forbes reached out to Tesla for comment but a reply was not immediately available.
With the conclusion of Pwn2Own Automotive 2024, the focus on the vulnerabilities in electric vehicle systems has underscored the need for robust cybersecurity measures in the automotive sector. The event has not only exposed potential weaknesses in the systems but also provided an opportunity for patching these vulnerabilities, ultimately contributing to the overall security of electric vehicles and associated technologies.