The Future of Automotive Security: Unveiling Vulnerabilities at the Pwn2Own Hackathon

### Article Summary

The Zero Day Initiative (ZDI) has announced that it will be hosting the first Pwn2Own Automotive hacking contest, which will focus on car systems. This contest will be held at the Automotive World conference in Tokyo in January 2024. ZDI is offering over $1 million in cash and prizes to security researchers who can successfully exploit various automotive vulnerabilities.

### Internet Security in the Age of IoT

The rapidly advancing field of Internet of Things (IoT) technology has brought numerous benefits to our daily lives. However, it has also introduced new security challenges. As more and more devices become interconnected, the potential attack surface for hackers continues to expand. Connected cars, in particular, have become a prime target for cybercriminals due to their growing number of electronic systems and communication interfaces.

The Pwn2Own Automotive hacking contest aims to address these vulnerabilities by providing a platform for security researchers to showcase their expertise and discover potential weaknesses in automotive systems. By offering substantial cash rewards and prizes, ZDI hopes to incentivize researchers to uncover and responsibly disclose these vulnerabilities before they can be exploited by malicious actors.

### The Pwn2Own Automotive Contest: Exploring Vulnerabilities

The Pwn2Own Automotive contest will feature four categories: Tesla, in-vehicle infotainment (IVI), electric vehicle chargers, and operating systems. Each category presents unique challenges and opportunities for security researchers to demonstrate their skills.

In the Tesla category, contestants will have the opportunity to target either a Tesla Model 3/Y or Tesla Model S/X bench top unit. The highest prize in this category is $200,000 for exploits targeting the vehicle’s autopilot, gateway, or VCSEC. There are also additional prizes available for exploits targeting the CAN bus or achieving root persistence on the autopilot or infotainment system.

The IVI category focuses on vulnerabilities within the in-vehicle infotainment systems of popular brands like Sony, Alpine, and Pioneer. Contests in this category have the chance to win $40,000 for their exploits.

The electric vehicle chargers category provides researchers with the opportunity to identify vulnerabilities in the charging systems of various devices from ChargePoint, Phoenix Contact, Emporia, JuiceBox, Autel, and Ubiquiti. The top prize for valid exploits in this category is $60,000.

Lastly, the operating systems category invites researchers to target Automotive Grande Linux, BlackBerry QNX, and Android Automotive OS. Exploits against these operating systems can earn researchers prizes of $50,000.

### Philosophical Discussion: Ethical Hacking and Responsible Disclosure

The Pwn2Own Automotive hacking contest raises important questions about the ethics and responsible disclosure of vulnerabilities. While hacking contests like Pwn2Own provide an opportunity for researchers to showcase their skills, it is crucial to ensure that these vulnerabilities are responsibly reported and patched.

Security researchers play a vital role in identifying vulnerabilities and working with manufacturers to address them. It is important for researchers participating in such contests to follow responsible disclosure practices, which involve notifying the affected vendors and giving them a reasonable amount of time to fix the vulnerabilities before going public with the details. Responsible disclosure helps to protect users from potential harm and allows companies to address the vulnerabilities without the added pressure of a public exploit.

### Editorial: The Importance of Securing Connected Vehicles

The Pwn2Own Automotive hacking contest highlights the pressing need for robust security measures in the automotive industry. Connected vehicles have become increasingly popular, and their vulnerabilities pose significant risks, including the potential for remote control of critical vehicle systems and unauthorized access to personal data.

As we move towards a future with autonomous vehicles and increased connectivity, it is crucial for automakers to prioritize cybersecurity. This requires implementing secure coding practices, conducting thorough security testing, and regularly patching vulnerabilities. Additionally, collaboration between automakers, security researchers, and regulatory bodies is essential to ensure the development of comprehensive security standards and protocols.

### Advice: Protecting Yourself in the IoT Era

While automakers and security researchers work towards improving the security of connected vehicles, there are steps that individuals can take to protect themselves in the IoT era.

1. Keep Software Up to Date: Regularly update the software on all devices connected to the internet, including cars, smartphones, and home automation systems. Software updates often include important security patches that help protect against known vulnerabilities.

2. Use Strong Passwords: Use unique and complex passwords for each device and service you use. Avoid using default passwords, as these are often easy for hackers to guess.

3. Secure Your Home Network: Use a strong and unique password for your home Wi-Fi network. Additionally, consider enabling network encryption, such as WPA2, to protect your connection from unauthorized access.

4. Be Mindful of Privacy Settings: Review the privacy settings on your devices and adjust them to your comfort level. Be aware of what data is being collected and shared, and only provide necessary permissions.

5. Research Devices Before Purchase: Before buying a new IoT device, research the manufacturer’s reputation for security and check for any known vulnerabilities. Choosing reputable brands with a track record of security can help minimize risks.

6. Use a Virtual Private Network (VPN): When connecting to the internet on public Wi-Fi networks, consider using a VPN to encrypt your data and protect your privacy.

7. Be Cautious of Phishing Attacks: Beware of unsolicited emails, text messages, or phone calls requesting personal information or urging immediate action. Always verify the source before providing any sensitive information.

By following these recommendations, individuals can take proactive steps to protect themselves and their connected devices in the IoT era.

## Sources:

1. [ZDI Announces Over $1 Million in Cash and Prizes for Pwn2Own Automotive](https://www.securityweek.com/zdi-offers-over-1-million-pwn2own-automotive-hacking-contest)

2. [Pwn2Own Automotive 2024 Contest Rules](https://www.zerodayinitiative.com/blog/2023/08/22/pwn2own-automotive-2024-contest-rules)

3. [Pwn2Own Event Challenges Security Researchers to Hack Into Vehicles](https://securitybrief.co.nz/story/pwn2own-event-challenges-security-researchers-to-hack-into-vehicles)