Pwn2Own Automotive: $1.3M for 49 zero-days, Tesla hacked twice

The first edition of Pwn2Own Automotive has ended with competitors earning $1,323,750 for hacking Tesla twice and demoing 49 zero-day bugs in multiple electric car systems between January 24 and January 26.

Throughout the contest organized by Trend Micro's Zero Day Initiative (ZDI) in Tokyo, Japan, during the Automotive World auto conference, hackers targeted fully patched electric vehicle (EV) chargers, infotainment systems, and car operating systems.

After a zero-day vulnerability is exploited and reported to vendors during Pwn2Own, they have 90 days to release security patches before Trend Micro's Zero Day Initiative discloses it publicly.

You can find the complete set of targets and the rules of Pwn2Own Automotive here. The full schedule is listed here.

The Pwn2Own Automotive 2024 contest was won by Team Synacktiv, who took home $450,000 in cash, followed by fuzzware.io with $177,500 and Midnight Blue/PHP Hooligans with $80,000.

​Synacktiv hacked the Tesla car twice, getting root permissions on a Tesla Modem by chaining three vulnerabilities on the first day and demoing a Tesla Infotainment System sandbox escape via a two zero-day exploit chain on the second day.

They also demoed two unique two-bug chains against the Ubiquiti Connect EV Station and the JuiceBox 40 Smart EV Charging Station, as well as a three-bug exploit targeting the Automotive Grade Linux OS.

Synactiv also dominated the Pwn2Own Vancouver 2023 contest in March, earning $530,000 and a Tesla car for two exploit chains targeting its Gateway and Infotainment Unconfined Root.

In October, at Pwn2Own Toronto 2023, hackers won over $1 million for 58 zero-day exploits and multiple bug collisions targeting consumer products, including the Samsung Galaxy S23 smartphone, multiple printer models, surveillance systems, and network-attached storage (NAS) devices.

Earlier this month, ZDI announced that the Pwn2Own Vancouver 2024 competition is scheduled to take place starting March 20th during the CanSecWest 2024 Conference.

The event will feature a prize pool of over $1,000,000 for exploits in various software categories and automotive systems found in Tesla Model 3 and Model S cars.