49 unique zero-days Uncovered in Pwn2Own Automotive

On the final day of Pwn2Own Automotive 2024 – Day 3, researchers were granted $1,323,750 in rewards for identifying 49 distinct zero-days.

The first-ever Pwn2Own Automotive event has concluded! Synacktiv wins the Master of Pwn Trophy, earning 50 Master of Pwn Points and a $450,000 prize. Particularly, the infotainment system and modem of Tesla were attacked by the Synacktiv team, and each vulnerability earned $100,000.

Pwn2Own Day 3

Computest Sector 7 exploited the ChargePoint Home Flex by using a 2-bug chain. They get six Master of Pwn Points and $30,000.

The Sony XAV-AX5500 was compromised by Synacktiv. Together with four Master of Pwn Points, they receive $20,000.

Sina Kheirkhah exploited the Ubiquiti Connect EV by using a 2-bug chain. Six Master of Pwn Points and $30,000 are his earnings.

Connor Ford of Nettitude exploited the JuiceBox 40 Smart EV Charging Station by using a stack-based buffer overflow. Six Master of Pwn Points and $30,000 are his earnings.

The EMPORIA EV Charger Level 2 was exploited by fuzzware.io via a buffer overflow. Six Master of Pwn Points and $60,000 are their earnings.

Highlights of the Day 1 of Pwn2Own Automotive’s research participants received awards totaling over $700,000. Sina Kheirkhah earned $60,000 by successfully launching his attack on ChargePoint Home Flex. 

A 2-bug chain was carried out by Synacktiv against the JuiceBox 40 Smart EV Charging Station and $60,000 is their earnings. Using a UAF exploit, the PCAutomotive Team was able to successfully target the Alpine Halo9 iLX-F509 and earn $40,000.

Highlights from Day 2 of Pwn2Own Automotive: Over $1 million in rewards were offered to researchers. Using a 3-bug chain, the PHP Hooligans and Midnight Blue team exploited the Phoenix Contact CHARX SEC-3100 and earned $30,000.

Synacktiv exploited Automotive Grade Linux by using a 3-bug chain and earned $35,000. fuzzware.io exploited the ChargePoint Home Flex with a two-bug chain and received $30,000 rewards.

ZDI is currently getting ready to host Pwn2Own Vancouver 2024, which is scheduled for March 20 to 22 in Vancouver, Canada. Over $1 million will be awarded in prizes for that event.

You can view the detailed itinerary of the highly competitive contest by following this link. Furthermore, a thorough summary of the Pwn2Own Automotive 2024 Day 3 results is available here for your reference.

Related Read