Security researchers hacked a Tesla Modem and collected awards of $722,500 on the first day of Pwn2Own Automotive 2024 for three bug collisions and 24 unique zero-day exploits.
They also used two unique two-bug chains to hack a Ubiquiti Connect EV Station and a JuiceBox 40 Smart EV Charging Station, earning an additional $120,000.
A third exploit chain targeting the ChargePoint Home Flex EV charger was already known but still brought them $16,000 in cash, with a total of $295,000 in prizes during the first day of the contest.
Security researchers also successfully hacked multiple fully patched EV charging stations and infotainment systems, with the NCC Group EDG team taking the second place on the leaderboard after winning $70,000 for zero-days exploited to hack the Pioneer DMH-WT7600NEX infotainment system and the Phoenix Contact CHARX SEC-3100 EV charger.
After the zero-day bugs are exploited and reported during the Pwn2Own competition, vendors have 90 days to develop and release security fixes before TrendMicro’s Zero Day Initiative publicly discloses them.
The Pwn2Own Automotive 2024 hacking contest focuses on automotive technologies and takes place this week in Tokyo, Japan, during the Automotive World auto conference between January 24 and January 26.
Throughout the competition, security researchers will be able to target Tesla in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems (i.e., Automotive Grade Linux, BlackBerry QNX, Android Automotive OS).
They’ll also demo zero-day exploits targeting Tesla Model 3/Y (Ryzen-based) or Tesla Model S/X (Ryzen-based) systems, including the infotainment system, modem, tuner, wireless, and autopilot.
The top prize will be awarded for VCSEC, gateway, or autopilot zero-days, with a cash award of $200,000 and a Tesla car.
During the Pwn2Own Vancouver 2023 competition in March, security researchers earned $1,035,000 and a Tesla Model 3 car after demoing 27 zero-day (and several bug collisions).