Multiple teams of elite hackers took part in the first Pwn2Own hacking event to focus solely on the automotive sector. The hackers gathered in Tokyo during the Automotive World conference with more than $1 million in bounty payments on offer. Tesla, being the first name most people think of when talking about electric vehicles, was successfully hacked twice by the same hackers, Team Synacktiv, who also won the overall competition and pocketed $450,000.
What Is The Pwn2Own Automotive Hacking Event?
The first-ever Pwn2Own Automotive event was organized by the Trend Micro Zero-Day Initiative, the same people behind the annual Pwn2Own hacking events we have reported on over the years here at Forbes. It shares a similar setup: some of the best hacking teams from across the globe take part to compete against pre-determined tech targets and each other, using previously unknown ‘zero-day’ exploits. In the case of Pwn2Own Automotive, electric vehicles and the systems and services that are associated with them were the only targets in the hacking crosshairs.
Tokyo Hackers Use 49 Zero-Days To Earn $1,323,750
These elite bounty-hunting hackers and security researchers are given stringent time limits in which they must successfully hack the specific target they are given. Success is rewarded by substantial cash payments through bounties for successfully demonstrating newly discovered, or zero-day, vulnerabilities and passing the technical details over to the vendor victim. They are also allocated points towards an overall Masters of Pwn leaderboard and the kudos attached to finishing atop it and being declared the Master of Pwn.
Overall, Pwn2Own Automotive 2024 awarded bounties worth an astonishing $1,323,750 for 49 unique zero-days successfully exploited across the event’s three days.
Tesla Hacked. Twice!
The Masters of Pwn (Automotive) 2024 title went to Team Synacktiv, which, among other things, hacked the Tesla Modem, exploiting a three-vulnerability chain to win $100,000 on day one and a two-vulnerability chain, compromising the Tesla Infotainment System on day two for another $100,000 in cash. I said, among other things, and those were compromises of:
- JuiceBox 40 Smart EV Charging Station ($60,000.)
- ChargePoint Home Flex ($16,000.)
- Ubiquiti Connect EV Station ($60,000.)
- Automotive Grade Linux ($35,000.)
- Sony XAV-AX5500 infotainment ($20,000.)
This makes the cash prizes won by Team Synacktiv a rather impressive $450,000.
The full results can be found detailed in the official ZDI Pwn2Own Automotive blog.
Hacking Is Not A Crime
How can all of these electric vehicle hacking shenanigans be a good thing? Well, every vulnerability these zero-day hackers exploit is immediately turned over to the vendor in question for them to fix the issue. Patches are then released before any technical information of merit is disclosed to the public to ensure less ethical actors cannot maliciously exploit the vulnerabilities. None of the zero-days are either sold or redistributed by ZDI.
I reached out to Tesla about the Pwn2Own Automotive results but a reply was not immediately available.
