Researchers Exploited Tesla Modem, Sony & Alpine Players in Pwn2Own Automotive

Pwn2Own 2024 Automotive is a unique event aimed at identifying and fixing flaws in connected automotive technologies. Tokyo, Japan, hosts the Pwn2Own 2024 Automotive from January 24–26, 2024.

Tesla is the title sponsor, and VicOne and Trend Micro’s Zero Day Initiative (ZDI) are co-hosts. Researchers compromised the Tesla modem, Sony, and Alpine Players on the first day.

Over 45 entries in all categories are expected to receive a reward of more than USD 1,000,000 since the number of entries exceeded initial projections.

Pwn2Own Automotive 2024 Day 1

For $60,000 and six Master of Pwn Points, Sina Kheirkhah was successful in carrying out his attack against the ChargePoint Home Flex.

On the Sony XAV-AX5500, Tobias Scharnowski and Felix Buchmann of fuzzware.io carried out their attack for $40,000 and four Master of Pwn Points.

Gary Li Wang exploited the Sony XAV-AX5500 using a stack-based buffer overflow. He receives four Master of Pwn Points and $20,000.

The 3-bug chain that the Synacktiv Team used to attack the Tesla Modem was completed. Together with 10 Master of Pwn Points, they win $100,000.

Synacktiv carried out a 2-bug chain against the JuiceBox 40 Smart EV Charging Station. Six Master of Pwn Points and $60,000 are their earnings.

Using a UAF exploit, the PCAutomotive Team successfully targeted the Alpine Halo9 iLX-F509 and earned $40,000 and 4 Master of Pwn Points.

Vudq16 and Q5CA carried out a successful stack-based buffer overflow against the Alpine Halo9 iLX-F509 from u0K++. They receive 4 Master of Pwn Points and $20,000.

Katsuhiko Sato carried out the command injection attack against the Alpine Halo9 iLX-F509. He received $20,000 and four Master of Pwn Points because this was his second-round victory.

NCC Group EDG implemented a 3-bug chain against the Pioneer DMH-WT7600NEX. Along with four Master of Pwn Points, they receive $40,000.

Against the Phoenix Contact CHARX SEC-3100, NCC Group EDG exploited an improper input validation. They receive six Master of Pwn Points in addition to $30,000.

The Synacktiv Team attacked the Ubiquiti Connect EV Station using a 2-bug chain. Six Master of Pwn Points and $60,000 are their earnings.

RET2 Systems carried out a 2-bug chain against the Phoenix Contact CHARX SEC-3100. They get six Master of Pwn Points and $60,000.

The Sony XAV-AX5500 was the target of a stack-based buffer overflow carried out by the PHP Hooligans / Midnight Blue team. In addition to four Master of Pwn Points, they receive $20,000.

The competitive contest’s full schedule may be seen here. This is a complete list of the Day 1 results for the Pwn2Own Automotive 2024.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.