Pwn2Own Contest Unearths Dozens of Zero-Day Vulnerabilities

Written by

Some of the world’s top ethical hackers are competing in Tokyo this week, having already found close to 40 zero-day vulnerabilities in Tesla and other products.

The first ever automotive edition of the Zero Day Initiative (ZDI)’s Pwn2Own contest runs from January 24-26. The ZDI is the world’s largest vendor-agnostic bug bounty program, incentivizing ethical hackers to find and responsibly disclose vulnerabilities in products in order to make the digital world safer.

On day one, 24 zero-days were discovered including a three-bug chain against the Tesla Modem, which earned the French Synacktiv Team $100,000. The same team earned $60,000 for a two-bug chain against the Ubiquiti Connect EV Station and another $60,000 for a novel two-bug chain against the JuiceBox 40 Smart EV Charging Station.

The UK’s NCC Group was also in action, earning $30,000 for demonstrating an improper input validation against the Phoenix Contact CHARX SEC-3100 charging controller and $40,000 for a three-bug chain against the Pioneer DMH-WT7600NEX digital receiver.

Read more on Tesla vulnerabilities: Chinese Hackers Remotely Control Tesla Cars

At the time of writing, a further 15 zero-day vulnerabilities had been discovered and demonstrated in exploits on day two of the competition.

Synacktiv was once again on target with a two-bug chain to attack the Tesla Infotainment System, garnering the group $100,000. It also used a three-bug chain to exploit Automotive Grade Linux, for a $35,0000 reward.

NCC Group was in the thick of the action again, using a two-bug chain against the Alpine Halo9 iLX-F509 media receiver, which earned it $20,000.

That brings the total prize money handed out so far at over $1m. Vendors will have 90 days to fix the vulnerabilities discovered in the competition before the ZDI goes public.

Back in 2022, the Trend Micro-owned initiative warned that poor quality vendor patching and confusing advisories were exposing customers to unnecessary extra risk. It argued that this left network defenders unable to accurately gauge their risk exposure and at risk from faulty or incomplete patches.

It subsequently changed its disclosure policy from a standard 120 days to a range of between 90 and 30 days, depending on criticality.

Pwn2Own Automotive concludes tomorrow.

What’s hot on Infosecurity Magazine?