top of page

Pwn2Own Automotive Tokyo

Updated: Jan 31



From a small town in Indiana to the world's largest city. I took my first trip to Tokyo to witness 49 unique 0 day exploits against preselected targets (Tesla Model Y, various Infotainment Units and EV wall chargers).

 

Pwn2Own, run by the Zero Day Initiative (ZDI) has been held since 2007. But, this was the first instance of an automotive specific version sponsored by Trend Micro's VicOne and Tesla.

 

One of my highlights was meeting team SYNACKTIV from France. SYNACKTIV successfully demonstrated 8 exploits, earning them 50 points. Their top exploits- remotely hacking the Model Y's cellular modem and infotainment unit, earning a total of $200,000 respectively. Team SYNACKTIV in all earned a total of $450,000. I look forward to their future presentations detailing the technical parts of the exploits from this Pwn2Own.



Team SYNACKTIV from France - The Masters of PWN

 

Another highlight was meeting Phillip Spiegelt from Germany's team Tortuga. In the last 30 seconds of his exploit demonstration, I noticed the ZDI judge next to Phillip getting very excited. I grabbed my phone and started recording to get this amazing last second finish from Phillip. The crowd and I cheered as Phillip's exploit triggered a root shell at the last second. (Turn on the audio in the video below)




 

From what he told me, his first attempts were run where the Charge Point mobile app was not connected to the internet. Luckily he was blessed by the Demo Gods to realize this difference on his last attempt.

 

The last highlight I will share comes from Day 1. I was chatting with other researchers, when I hear, "I thought that was you Scott." I turn around to see Gary Wang (both of us were at Nuro before). He came to demonstrate an exploit on the Sony XAV-AX5500 Infotainment unit. His exploit (at a high level) was delivered via USB with his payload in a malicious media file.



Gary Wang and me - random meet up at Pwn2Own in Tokyo

 

My 3 Takeaways:

  1. All products are vulnerable to being attacked - even those that are seemingly well defended like the Tesla units. Investments in product security defenses and the ability to patch quickly cannot be overlooked.

  2. Companies like Tesla, who sponsor Pwn2Own, become stronger each year. Pen tests are often too short to work out 0 Day exploits like those presented by the security researchers at Pwn2Own. If you think a pen test is equivalent, please look at the amount of 0 days generated at Pwn2Own. Pen Tests are not equivalent.

  3. This is a community effort - the researchers and attendees of Pwn2Own become better through events like this. I got to meet several skilled participants and attendees from all over the world. And got to sing some Karaoke with some of them too around Shibuya - What does the Fox say??!

 

I had a great time in Japan. The people were very helpful to me and kind as I only knew a few phrases in Japanese. The buildings and pubic infrastructure I found to be modern marvels. The food was also very tasty. I loved going to this event and will be back for the next one…



Results of Winning Submissions [1] [2] [3]

Team

Target

Prize $$$

Master of Pwn Points

0 Day?

Computest Sector 7

ChargePoint Home Flex

$30,000

6

Yes

Computest Sector 7

Autel MaxiCharger AC Wallbox Commercial

$22,500

4.5

Collision

Computest Sector 7

JuiceBox 40 Smart EV Charging Station

$15,000

3

Collision

Connor Ford

JuiceBox 40 Smart EV Charging Station

$30,000

6

Yes

Connor Ford

ChargePoint Home Flex

$16,000

3

Collision

fuzzware.io

ChargePoint Home Flex

$30,000

6

Yes

fuzzware.io

Alpine Halo9 iLX-F509

$10,000

2

Collision

fuzzware.io

EMPORIA EV Charger Level 2

$60,000

6

Yes

fuzzware.io

Sony XAV-AX5500

$40,000

4

Yes

fuzzware.io

Autel MaxiCharger AC Wallbox Commercial

$15,000

3

Collision

fuzzware.io

Phoenix Contact CHARX SEC-3100

$22,500

4.5

Collision

Gary Li Wang

Sony XAV-AX5500

$20,000

4

Yes

Katsuhiko Sato

Sony XAV-AX5500

$10,000

2

Collision

Katsuhiko Sato

Alpine Halo9 iLX-F509

$20,000

4

Yes

Le Tran Hai Tung

Alpine Halo9 iLX-F509

$20,000

4

Yes

Midnight Blue / PHP Hooligans

Sony XAV-AX5500

$20,000

4

Yes

Midnight Blue / PHP Hooligans

Autel MaxiCharger AC Wallbox Commercial

$30,000

6

Yes

Midnight Blue / PHP Hooligans

Phoenix Contact CHARX SEC-3100

$30,000

6

Yes

NCC Group

Phoenix Contact CHARX SEC-3100

$30,000

6

Yes

NCC Group

Pioneer DMH-WT7600NEX

$40,000

4

Yes

NCC Group

Alpine Halo9 iLX-F509

$20,000

4

Yes

PCAutomotive

Alpine Halo9 iLX-F509

$40,000

4

Yes

RET2 Systems

Phoenix Contact CHARX SEC-3100

$60,000

6

Yes

RET2 Systems

JuiceBox 40 Smart EV Charging Station

$30,000

6

Yes

Rob Blakely

Automotive Grade Linux

$47,500

3.75

Collision

Sina Kheirkhah

ChargePoint Home Flex

$60,000

6

Yes

Sina Kheirkhah

Ubiquiti Connect EV

$30,000

6

Yes

SYNACKTIV

ChargePoint Home Flex

$16,000

3

Collision

SYNACKTIV

Tesla Modem

$100,000

10

Yes

SYNACKTIV

Automotive Grade Linux

$35,000

5

Yes

SYNACKTIV

Ubiquiti Connect EV Station

$60,000

6

Yes

SYNACKTIV

Tesla Infotainment System

$100,000

10

Yes

SYNACKTIV

JuiceBox 40 Smart EV Charging Station

$60,000

6

Yes

SYNACKTIV

Sony XAV-AX5500

$20,000

4

Yes

SYNACKTIV

--Not mentioned

$59,000

6

Yes

Team Cluck

Phoenix Contact CHARX SEC-3100

$26,250

5.25

Collision

Team Cluck

ChargePoint Home Flex

$16,000

3

Collision

Tortuga

ChargePoint Home Flex

$15,000

3

Collision

u0K++

Alpine Halo9 iLX-F509

$20,000

4

Yes


References




214 views0 comments
bottom of page