Connected cars as a target for hackers

Connected cars as a target for hackers

VicOne, a provider of cybersecurity solutions for the automotive industry, hosted its first ethical hacking event “Pwn2Own Automotive 2024” at the Automotive World in Tokyo at the end of January. The aim was to research and overcome the challenges of cybersecurity in the automotive industry. The event was a great success. Specifically, 17 white hat hacker teams or individuals from nine countries, including Germany, undertook a total of over 50 different hacking approaches in four categories: “Tesla”, “In-Vehicle Infotainment (IVI)”, “EV Chargers” and “Operating System”. Contestants competed for a total of $1,323,750 in cash and prizes. The worrying result: A total of 49 previously unknown security gaps (zero-day vulnerabilities) were discovered by the hackathon participants over the three days of the event. To win their respective hacking attempt, participants had to be able to exploit the newly discovered vulnerabilities to attack target systems and devices and execute arbitrary instructions.

However, the event was not just about prestige and competition between the best white hat hackers in the scene, but also about collaboration within the automotive industry and with external IT cybersecurity experts to make the entire industry more secure. The electric vehicle manufacturer Tesla, the main sponsor of the event, made its own products available and tested, including a modem, an infotainment system and a Model Y vehicle. The participating hackers came from countries such as Vietnam, the USA and Japan, but also from Great Britain, Hungary, Holland, France and Germany and carried out their attacks partly remotely and partly on site. From Germany, for example, the Tortuga team (remote) and the fuzzware.io team took part, carrying out their hacks on site.

The ethical hackers from fuzzware.io have the “Sony SEC-3100” charging controller successfully targeted in the electric vehicle charger category. With six hacking attempts, they were among the busiest hackathon participants. Team Tortuga also checked the ChargePoint Home Flex charging station in the electric vehicle charger category for possible security vulnerabilities. With a total winnings of 177,500 US dollars, the German team fuzzware.io took a very good second place and was only beaten by the winning team Synacktiv from France with a total winnings of 450,000 US dollars, which now also carries the title of “Master of Pwn” in addition to the overall victory. The multinational event served to connect and network the automotive industry with the cybersecurity industry and highlight potential threats.