Synacktiv Claims Top Prize at Pwn2Own Auto 2024 Japan
At the Pwn2Own Automotive 2024 competition in Japan, a team of hackers successfully hacked into Tesla’s systems and were awarded $200,000. The three-day event, organized by Zero Day Initiative (ZDI) and VicOne, offers cash prizes for ethically exploiting automotive electronic systems.
The team known as Synacktiv was victorious on the first day when they managed to successfully execute their three-bug combination, winning them a prize of $100,000 for their efforts against the Tesla Modem. The next day, they scored another impressive win by targeting the Tesla infotainment system with a two-bug chain, earning themselves an additional $100,000.
A variety of systems have been targeted by hackers, including the Automotive Grade Linux, Ubiquiti Connect EV Station, ChargePoint Home Flex, JuiceBox 40 Smart EV Charging Station, and Sony XAV-AX5500. These systems have all been successfully breached in recent attacks.Among the list of compromised systems is the Automotive Grade Linux, a popular operating system used in vehicles. The hackers were able to infiltrate this system and gain unauthorized access.Additionally, the Ubiquiti Connect EV Station, a charging station for electric vehicles, was also hacked. This allowed the hackers to remotely control the charging stations and potentially cause damage or disruption to the charging process.The ChargePoint Home Flex, another EV charging station, fell victim to the hackers as well. This left users vulnerable to potential attacks that could manipulate the station’s settings and control the flow of electricity.In their attempts to hack into various systems, the perpetrators also targeted the JuiceBox 40 Smart EV Charging Station. By gaining access to this device, the hackers could potentially mess with the station’s power supply and potentially cause harm to the vehicle being charged.Last but not least, the Sony XAV-AX5500, a popular car infotainment system, was also successfully hacked by these individuals. This
The increasing use of software-defined technology in vehicles has made cybersecurity a crucial necessity. There have been reports that automakers are collecting personal data from their customers’ cars, raising concerns about data privacy. This issue becomes even more alarming when hackers are able to access and exploit this sensitive information.
The primary objective of the event is to uncover technical vulnerabilities that could be exploited by hackers. According to the organizers, a total of 49 new technical vulnerabilities were identified during the three-day event. This resulted in a prize money payout of $1,323,750, with Synacktiv being declared the ultimate winner and receiving $450,000 and 50 “Master of Pwn” points. In second place was fuzzware.io, earning $177,500, followed by Midnight Blue/PHP Hooligans in third place with a prize of $80,000.
In the previous year, Synacktiv achieved a remarkable milestone by earning $350,000 in addition to winning a Tesla Model 3, all thanks to their quick exploitation of the infotainment system of a midsize electric vehicle in less than two minutes.
There have been reports of individuals attempting to hack Tesla electric vehicles, with the goal of accessing subscription-based features without payment. While these attempts were made for research purposes, it is concerning to think about the potential for malicious hackers to exploit this vulnerability. In fact, one hacker was able to uncover a hidden feature within Tesla’s Full Self-Driving Beta (FSDB) software, referred to internally as “Elon Mode.” This mode significantly decreases the frequency of prompts for the driver to keep their hands on the steering wheel while using the self-driving feature.
It is hoped that Tesla and other manufacturers are closely monitoring these occurrences in order to enhance their safety protocols.