Pwn2Own Automotive 2024: Hackers Uncover Dozens of Critical Flaws in Cars and EV Chargers
The modern vehicle is a technological marvel, often described as a “computer on wheels.” But with increasing connectivity comes a growing risk of cyber threats. A recent landmark cybersecurity competition has put this risk into sharp focus, as ethical hackers successfully exposed dozens of previously unknown vulnerabilities in modern automotive systems.
The Pwn2Own Automotive 2024 event, a specialized ethical hacking contest, brought together the world’s top security researchers to test the defenses of in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and modems. The results were staggering: researchers discovered 34 unique zero-day vulnerabilities, earning over $1 million in prize money for their efforts.
This event serves as a critical reminder that the software running our cars and the infrastructure supporting them requires constant and rigorous security testing.
Key Systems Under the Microscope
The competition targeted the core components that make a modern vehicle smart and connected. Researchers focused their skills on three primary categories:
- Tesla Systems: As a leader in automotive technology, Tesla’s products, including its modem and infotainment systems, were a primary target.
- In-Vehicle Infotainment (IVI): These systems control everything from navigation and music to vehicle settings. A compromise here could lead to driver distraction or access to sensitive data.
- Electric Vehicle (EV) Chargers: With the rise of EVs, the security of charging stations is paramount. A vulnerability could disrupt charging networks, steal user data, or even manipulate the charging process.
The sheer number of successful exploits highlights a widespread need for improved security across the automotive industry.
Highlights from the Competition: Major Systems Compromised
One team, Synacktiv, stood out by earning the title of “Master of Pwn” and walking away with $450,000 in prize money. Their successes demonstrated the potential for deep-level system compromise.
Among their most significant achievements was a three-bug chain attack against the Tesla modem. By exploiting a heap overflow and an out-of-bounds write vulnerability, the team was able to gain “root” access—the highest level of administrative control over the device. This level of access could potentially allow an attacker to monitor or intercept data passing through the modem.
The team didn’t stop there. They also demonstrated sophisticated, multi-stage attacks against two prominent EV chargers:
- ChargePoint Home Flex: Researchers successfully chained multiple vulnerabilities to gain root access to the charger.
- JuiceBox 40: Another complex attack allowed the team to achieve complete control over this popular EV charging unit.
These demonstrations are not just theoretical exercises. They represent real-world security gaps that, if discovered by malicious actors, could have serious consequences for vehicle owners and public infrastructure.
The Broader Implications for Vehicle Security
While no consumer data or vehicles were harmed during the event, the findings are a wake-up call. The vulnerabilities discovered are now being disclosed confidentially to the manufacturers, who have a 90-day window to develop and release patches before the technical details are made public. This process, known as responsible disclosure, is a cornerstone of ethical hacking and helps protect consumers by ensuring flaws are fixed before they are widely known.
The event underscores that as cars become more connected, their “attack surface” grows. From the Bluetooth connection with your phone to the Wi-Fi in your garage and the cellular modem that enables over-the-air updates, every point of connection is a potential entry point for an attacker.
How to Protect Your Connected Vehicle
While manufacturers are ultimately responsible for securing their products, vehicle owners can take several steps to improve their personal security posture.
Always Install Software Updates: The most important step you can take is to keep your vehicle’s software up to date. Manufacturers release over-the-air (OTA) updates to patch security holes and improve functionality. Enable automatic updates if the option is available.
Be Cautious with Third-Party Apps: Just like on your smartphone, only download and install applications on your car’s infotainment system from trusted sources. Vet the permissions these apps request.
Secure Your Home Network: If your EV charger or vehicle connects to your home Wi-Fi, ensure your network is protected with a strong, unique password and WPA3 encryption if possible.
Use Strong Passwords for Vehicle Apps: The mobile app that connects to your car is a gateway to its functions. Protect that account with a long, complex password and enable two-factor authentication (2FA).
Limit Physical Port Access: Be mindful of who plugs devices into your car’s USB or OBD-II ports, as these can be used to load malicious software.
Events like Pwn2Own Automotive are vital for the health of the industry. By incentivizing the world’s best security talent to find flaws in a controlled environment, they help make the technology we rely on every day safer for everyone.
Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-34-zero-days-on-first-day-of-pwn2own-ireland/
