Pwn2Own Automotive 2024 Tokyo

The first edition of Pwn2Own Automotive has ended with competitors earning $1,323,750 for hacking Tesla twice and demoing 49 zero-day bugs in multiple electric car systems between January 24 and January 26.

Throughout the contest organized by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan, during the Automotive World auto conference, hackers targeted fully patched electric vehicle (EV) chargers, infotainment systems, and car operating systems.

After a zero-day vulnerability is exploited and reported to vendors during Pwn2Own, they have 90 days to release security patches before Trend Micro's Zero Day Initiative discloses it publicly.

You can find the complete set of targets and the rules of Pwn2Own Automotive here. The full schedule is listed here.

The Pwn2Own Automotive 2024 contest was won by Team Synacktiv, who took home $450,000 in cash, followed by fuzzware.io with $177,500 and Midnight Blue/PHP Hooligans with $80,000.

Pwn2Own leaderboard
Pwn2Own leaderboard (ZDI)

​Synacktiv hacked the Tesla car twice, getting root permissions on a Tesla Modem by chaining three vulnerabilities on the first day and demoing a Tesla Infotainment System sandbox escape via a two zero-day exploit chain on the second day.

They also demoed two unique two-bug chains against the Ubiquiti Connect EV Station and the JuiceBox 40 Smart EV Charging Station, as well as a three-bug exploit targeting the Automotive Grade Linux OS.

Synactiv also dominated the Pwn2Own Vancouver 2023 contest in March, earning $530,000 and a Tesla car for two exploit chains targeting its Gateway and Infotainment Unconfined Root.

In October, at Pwn2Own Toronto 2023, hackers won over $1 million for 58 zero-day exploits and multiple bug collisions targeting consumer products, including the Samsung Galaxy S23 smartphone, multiple printer models, surveillance systems, and network-attached storage (NAS) devices.

Earlier this month, ZDI announced that the Pwn2Own Vancouver 2024 competition is scheduled to take place starting March 20th during the CanSecWest 2024 Conference.

The event will feature a prize pool of over $1,000,000 for exploits in various software categories and automotive systems found in Tesla Model 3 and Model S cars.

Related Articles:

Tesla hacked again, 24 more zero-days exploited at Pwn2Own Tokyo

Tesla hacked, 24 zero-days demoed at Pwn2Own Automotive 2024

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Windows Kernel bug fixed last month exploited as zero-day since August

CISA warns of Microsoft Streaming bug exploited in malware attacks