Pwn2Own 2024: Tesla Hacks, Dozens of Zero-Days in Electrical Vehicles

  /     /     /  
Publicated : 23/11/2024   Category : security


Pwn2Own 2024: Tesla Hacks, Dozens of Zero-Days in Electrical Vehicles


Hacking teams pick apart electrical vehicles (EVs), exposing them for what they are: safety-critical computers without commensurate security.



In just two days at Pwn2Own 2024 in Tokyo, researchers have compromised a bevy of electric vehicle chargers, operating systems, Tesla components, and unearthed dozens of zero-day vulnerabilities along the way.
Last years Pwn2Own in Vancouver flirted with cars as an attack surface, adding Teslas into the mix alongside competitions to hack more traditional servers, enterprise applications, browsers, and the like. But this years event went full pedal to the metal, and the results have been enlightening.
On the first day
alone, contestants demonstrated 24 unique zero-days, earning them $722,500 in winnings.
Day two
saw 20 new exploits, and the final, third day promises nine more still.
Vehicles are increasingly becoming a complex system of systems, says Dustin Childs, head of threat awareness for Trend Micros Zero Day Initiative (ZDI), the group hosting the event. There hasnt been a lot of research into this area in the past, and based on our experience, that lack of external scrutiny means there could be a lot of security issues.
The headline-grabbing event at last years Pwn2Own was when a team from Toulouse-based Synacktiv managed to
breach a Tesla Model 3 in under two minutes
.
This year, Synacktiv has returned with exploits of the Ubiquiti Connect and JuiceBox 40 Smart EV charging stations, the ChargePoint Home Flex (an at-home EV charging tool), and the self-explanatory Automotive Grade Linux. Its most notable achievements, though, have been a three-bug exploit chain against Teslas modem, and a two-bug chain against its infotainment system, each earning a $100,000 cash prize.
According to the rules of the event, vendors have 90 days to remediate their security flaws before theyre allowed to be publicly disclosed. But in an email from Tokyo, the Synacktiv crackers gave Dark Reading a high-level overview of what the attacks looked like: 
The attack is sent from a GSM antenna emulating a fake BTS (rogue telecom operator). A first vulnerability gives root access to the modem card of the Tesla, they wrote. A second attack jumps from the modem to the infotainment system. And bypassing the security features on this process, its possible to access multiple equipment on the car such as the headlights, the windshield wipers, or to open the trunk and the doors.
With Teslas, says Synacktiv CEO Renaud Feil, its a two-sided coin. Its a car that has a huge attack surface — everything is IT in a Tesla. But they also have a strong security team and they try to pay a lot of attention to security. So its a huge target, but its a difficult target.
The attack surface of the car its growing, and its getting more and more interesting, because manufacturers are adding wireless connectivities, and applications that allow you to access the car remotely over the Internet, Feil says.
Ken Tindell, chief technology officer of Canis Automotive Labs, seconds the point. What is really interesting is how so much reuse of mainstream computing in cars brings along all the security problems of mainstream computing into cars.
Cars have had this two worlds thing for at least 20 years, he explains. First, youve got mainstream computing (done not very well) in the infotainment system. Weve had this in cars for a while, and its been the source of a huge number of vulnerabilities — in Bluetooth, Wi-Fi, and so on. And then youve got the control electronics, and the two are very separate domains. Of course, you get problems when that infotainment then
starts to touch the CAN bus
thats talking to the brakes, headlights, and stuff like that.
Its a conundrum that should be familiar to OT practitioners: managing IT equipment alongside safety-critical machinery, in such a way that the two can work together without spreading the formers nuisances to the latter. And, of course, the disparate product life cycles between IT and OT tech — cars lasting far longer than, say, laptops — which only serves to make the gap even less wieldy.
For an image of where vehicle cybersecurity is going, one might start at infotainment — the biggest, most obvious attack surface in cars today. Here, there have been two schools of thought developing.
One is: Lets just not bother, because youll never keep up considering the product cycles in cars. Apple CarPlay and Android Auto — that is the way forward. So the car manufacturer provides a screen, and then your phone provides the infotainment stuff, Tindell explains. I think thats a good approach, because your phone clearly is your responsibility, Apple keeps it up to date, its all patched, and then your car is just providing a screen.
The other school of thought is to let these big companies take control of the key functions of your cars. License an operating system from Google, and now its the Google CarPlay equivalent, but directly wired into the car, he says. With a company like Google in charge, there is an update mechanism for it, just like it updates their Pixel phones. The question is, in 10 years time, are you still going to get updates for your car once Google gets bored and tries to shut it down?
But even if manufacturers do manage to squeeze one part of the attack surface (unlikely) or outsource the responsibility of overseeing it to third parties (imperfectly), Pwn2Own 2024 has demonstrated that theyll still have vastly more problems yet to account for: EV chargers to modems, operating systems, and more.
To Tindell, whats really important is to keep the mainstream computing firewalled off from the control systems, so that theres a choke point. Unfortunately, some of the choke points so far havent been very well-developed, and you can crack them on the end of a chain of exploits, he adds.
I think they know what to do, Synacktivs Feil says. Its the same process that applies to the rest of the IT industry: invest in cybersecurity, do some audits, hack your stuff until it gets very hard to hack.
Getting manufacturers to that point, he believes, might require some outside intervention. The industry has been able to push back to restrict regulation, Feil says. Their narrative is: We are having a tough time, because everyone is asking us to switch to electric cars, and it may affect our bottom line heavily. But they must show that they are doing something when it comes to cybersecurity.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Pwn2Own 2024: Tesla Hacks, Dozens of Zero-Days in Electrical Vehicles