From a small town in Indiana to the world's largest city. I took my first trip to Tokyo to witness 49 unique 0 day exploits against preselected targets (Tesla Model Y, various Infotainment Units and EV wall chargers).
Â
Pwn2Own, run by the Zero Day Initiative (ZDI) has been held since 2007. But, this was the first instance of an automotive specific version sponsored by Trend Micro's VicOne and Tesla.
Â
One of my highlights was meeting team SYNACKTIV from France. SYNACKTIV successfully demonstrated 8Â exploits, earning them 50 points. Their top exploits- remotely hacking the Model Y's cellular modem and infotainment unit, earning a total of $200,000 respectively. Team SYNACKTIV in all earned a total of $450,000. I look forward to their future presentations detailing the technical parts of the exploits from this Pwn2Own.
Team SYNACKTIV from France - The Masters of PWN
Â
Another highlight was meeting Phillip Spiegelt from Germany's team Tortuga. In the last 30 seconds of his exploit demonstration, I noticed the ZDI judge next to Phillip getting very excited. I grabbed my phone and started recording to get this amazing last second finish from Phillip. The crowd and I cheered as Phillip's exploit triggered a root shell at the last second. (Turn on the audio in the video below)
Â
From what he told me, his first attempts were run where the Charge Point mobile app was not connected to the internet. Luckily he was blessed by the Demo Gods to realize this difference on his last attempt.
Â
The last highlight I will share comes from Day 1. I was chatting with other researchers, when I hear, "I thought that was you Scott." I turn around to see Gary Wang (both of us were at Nuro before). He came to demonstrate an exploit on the Sony XAV-AX5500 Infotainment unit. His exploit (at a high level) was delivered via USB with his payload in a malicious media file.
Gary Wang and me - random meet up at Pwn2Own in Tokyo
Â
My 3 Takeaways:
All products are vulnerable to being attacked - even those that are seemingly well defended like the Tesla units. Investments in product security defenses and the ability to patch quickly cannot be overlooked.
Companies like Tesla, who sponsor Pwn2Own, become stronger each year. Pen tests are often too short to work out 0 Day exploits like those presented by the security researchers at Pwn2Own. If you think a pen test is equivalent, please look at the amount of 0 days generated at Pwn2Own. Pen Tests are not equivalent.
This is a community effort - the researchers and attendees of Pwn2Own become better through events like this. I got to meet several skilled participants and attendees from all over the world. And got to sing some Karaoke with some of them too around Shibuya - What does the Fox say??!
Â
I had a great time in Japan. The people were very helpful to me and kind as I only knew a few phrases in Japanese. The buildings and pubic infrastructure I found to be modern marvels. The food was also very tasty. I loved going to this event and will be back for the next one…
Results of Winning Submissions [1] [2] [3]
Team | Target | Prize $$$ | Master of Pwn Points | 0 Day? |
Computest Sector 7 | ChargePoint Home Flex | $30,000 | 6 | Yes |
Computest Sector 7 | Autel MaxiCharger AC Wallbox Commercial | $22,500 | 4.5 | Collision |
Computest Sector 7 | JuiceBox 40 Smart EV Charging Station | $15,000 | 3 | Collision |
Connor Ford | JuiceBox 40 Smart EV Charging Station | $30,000 | 6 | Yes |
Connor Ford | ChargePoint Home Flex | $16,000 | 3 | Collision |
fuzzware.io | ChargePoint Home Flex | $30,000 | 6 | Yes |
fuzzware.io | Alpine Halo9 iLX-F509 | $10,000 | 2 | Collision |
fuzzware.io | EMPORIA EV Charger Level 2 | $60,000 | 6 | Yes |
fuzzware.io | Sony XAV-AX5500 | $40,000 | 4 | Yes |
fuzzware.io | Autel MaxiCharger AC Wallbox Commercial | $15,000 | 3 | Collision |
fuzzware.io | Phoenix Contact CHARX SEC-3100 | $22,500 | 4.5 | Collision |
Gary Li Wang | Sony XAV-AX5500 | $20,000 | 4 | Yes |
Katsuhiko Sato | Sony XAV-AX5500 | $10,000 | 2 | Collision |
Katsuhiko Sato | Alpine Halo9 iLX-F509 | $20,000 | 4 | Yes |
Le Tran Hai Tung | Alpine Halo9 iLX-F509 | $20,000 | 4 | Yes |
Midnight Blue / PHP Hooligans | Sony XAV-AX5500 | $20,000 | 4 | Yes |
Midnight Blue / PHP Hooligans | Autel MaxiCharger AC Wallbox Commercial | $30,000 | 6 | Yes |
Midnight Blue / PHP Hooligans | Phoenix Contact CHARX SEC-3100 | $30,000 | 6 | Yes |
NCC Group | Phoenix Contact CHARX SEC-3100 | $30,000 | 6 | Yes |
NCC Group | Pioneer DMH-WT7600NEX | $40,000 | 4 | Yes |
NCC Group | Alpine Halo9 iLX-F509 | $20,000 | 4 | Yes |
PCAutomotive | Alpine Halo9 iLX-F509 | $40,000 | 4 | Yes |
RET2 Systems | Phoenix Contact CHARX SEC-3100 | $60,000 | 6 | Yes |
RET2 Systems | JuiceBox 40 Smart EV Charging Station | $30,000 | 6 | Yes |
Rob Blakely | Automotive Grade Linux | $47,500 | 3.75 | Collision |
Sina Kheirkhah | ChargePoint Home Flex | $60,000 | 6 | Yes |
Sina Kheirkhah | Ubiquiti Connect EV | $30,000 | 6 | Yes |
SYNACKTIV | ChargePoint Home Flex | $16,000 | 3 | Collision |
SYNACKTIV | Tesla Modem | $100,000 | 10 | Yes |
SYNACKTIV | Automotive Grade Linux | $35,000 | 5 | Yes |
SYNACKTIV | Ubiquiti Connect EV Station | $60,000 | 6 | Yes |
SYNACKTIV | Tesla Infotainment System | $100,000 | 10 | Yes |
SYNACKTIV | JuiceBox 40 Smart EV Charging Station | $60,000 | 6 | Yes |
SYNACKTIV | Sony XAV-AX5500 | $20,000 | 4 | Yes |
SYNACKTIV | --Not mentioned | $59,000 | 6 | Yes |
Team Cluck | Phoenix Contact CHARX SEC-3100 | $26,250 | 5.25 | Collision |
Team Cluck | ChargePoint Home Flex | $16,000 | 3 | Collision |
Tortuga | ChargePoint Home Flex | $15,000 | 3 | Collision |
u0K++ | Alpine Halo9 iLX-F509 | $20,000 | 4 | Yes |
コメント