Tesla Hacked Twice and 49 Zero-Day Vulnerabilities Revealed at Pwn2Own Automotive

By Riley ThompsonTechnology News

Pwn2Own Automotive: Tesla Hacked Twice and 49 Zero-Day Vulnerabilities Demonstrated

The first-ever Pwn2Own Automotive hacking competition, dedicated to car hacking and everything related to it, was held in Tokyo and organized by the Trend Micro Zero Day Initiative (ZDI). Over three days, participants earned a total of $1,323,750, managed to hack a Tesla twice, and used 49 zero-day vulnerabilities against electric vehicles, charging stations, and more.

Competition Details and Targets

The event took place as part of the Automotive World conference. Hackers were challenged to target Tesla Model 3/Y (Ryzen-based) or Tesla Model S/X (Ryzen-based), including infotainment systems, modems, tuners, wireless communication, and autopilot. Other targets included electric vehicle charging stations and automotive operating systems such as Automotive Grade Linux, Android Automotive OS, and BlackBerry QNX.

Disclosure and Remediation Process

After Pwn2Own concludes, all vulnerabilities demonstrated by the experts are reported to the vendors, who are required to fix the issues within 90 days. After this period, Trend Micro Zero Day Initiative will publicly release the technical details of all zero-day exploits used during the competition.

Winners and Notable Achievements

The undisputed winners of Pwn2Own Automotive 2024 were the Synacktiv team, earning $450,000 and 50 Master of Pwn points. They were followed by fuzzware.io with $177,500 (25.5 points) and Midnight Blue/PHP Hooligans with $80,000 (16 points).

Highlights of the Competition

  • The Synacktiv team compromised a Tesla twice: first, they gained root access to the Tesla modem by chaining together three vulnerabilities, and then they escaped the car’s infotainment system sandbox using two separate zero-day exploit chains.
  • Researchers also demonstrated two unique attack chains targeting Ubiquiti Connect EV and Smart EV JuiceBox 40 charging stations, as well as an exploit combining three flaws in Automotive Grade Linux.

Background and Previous Successes

It’s worth noting that Synacktiv is no stranger to leading at Pwn2Own. For example, they were also the winners of Pwn2Own Vancouver 2023, where they successfully hacked a Tesla Model 3, demonstrated privilege escalation in Ubuntu Desktop, and more.

Leave a Reply