“ZDI Analyzes Landmark Event: The First Automotive Pwn2Own”

ICS/OT ZDI Discusses First Automotive Pwn2Own

The Zero Day Initiative (ZDI) recently announced that it will host the first-ever Automotive Pwn2Own event at the Automotive World Conference in Tokyo from January 24 to 26, 2024. The Automotive Pwn2Own competition aims to uncover vulnerabilities in the automotive industry and promote collaboration between security researchers and automotive manufacturers to improve cybersecurity in vehicles.

The Rise of Connected Cars

The decision to host an Automotive Pwn2Own event is driven by the increasing complexity and connectivity of modern vehicles. As Dustin Childs, head of threat awareness at ZDI, points out, “A car isn’t just a car anymore; it’s a system of systems.” One of the most critical components of this system is the infotainment system, which brings the outside world, notably the internet, into the heart of the vehicle. Childs explains, “You wouldn’t think you can hit the transmission from the same place you use to search for cheap gas—but you can.”

With cars becoming more autonomous and manufacturers continually adding new connected features, it is essential to understand the full attack surface of modern vehicles. The Automotive Pwn2Own event aims to provide insight into the security vulnerabilities present in automotive systems and encourage manufacturers to address them before they are exploited.

Promoting Bug Bounty Activity and Independent Research

The Automotive Pwn2Own event serves two primary purposes: bug bounty activity and protecting the work of independent security researchers. In terms of bug bounty activity, ZDI purchases and reports more bugs than any other vendor-agnostic program. Unlike vendor-specific bug bounties, where the vendor may not actually fix the reported bugs, ZDI holds manufacturers accountable and ensures that the vulnerabilities are addressed.

Furthermore, ZDI‘s longstanding presence in the cybersecurity community has helped foster a more collaborative approach to vulnerability disclosure. Initially, ZDI faced legal threats when reporting bugs, but over time, these instances have decreased. This change is thanks in part to ZDI‘s expertise in cybersecurity law and its contributions to shaping legislation in this domain.

While established technology companies, like Google, Microsoft, and Apple, understand the value of researchers reporting bugs, the automotive community has yet to fully embrace this concept. Childs states, “The automotive community is not taking advantage of what we consider to be a great resource, which is the independent security researcher community around the globe. Let the researchers find the bugs and report them, and then the manufacturers can fix them before they get exploited.”

Challenges and Costs

Organizing an Automotive Pwn2Own event comes with its own set of challenges and costs. Shipping complete cars to contestants is logistically unfeasible. However, ZDI can provide researchers with specific automotive components, like head units or EV chargers, for testing purposes. ZDI depends on the trust and integrity of the researchers to ensure that the borrowed components are eventually returned.

Funding for the event primarily comes from Trend Micro, the parent company of ZDI. While ZDI approaches vendors to co-sponsor the event, most of the funding comes from Trend Micro. However, Tesla has offered to co-sponsor the event, and Charge Point is providing hardware for the competition. Despite the expenses involved, ZDI remains committed to hosting the event, as it sees the value in promoting collaboration and improving vehicle cybersecurity.

Editorial: Strengthening Cybersecurity in the Automotive Industry

The announcement of the first Automotive Pwn2Own event marks an important step towards improving cybersecurity in the automotive industry. With the increasing number of connected vehicles and autonomous features, it is crucial to identify and address vulnerabilities before they are exploited by malicious actors.

The Automotive Pwn2Own event not only provides a platform for security researchers to showcase their skills but also encourages collaboration between researchers and automotive manufacturers. By fostering this collaboration, the event aims to bridge the gap between the cybersecurity and automotive communities. It is essential for automotive manufacturers to recognize the value that independent security researchers bring in identifying and addressing vulnerabilities in their products.

Furthermore, the bug bounty activity associated with the Automotive Pwn2Own event sets a new standard for vulnerability disclosure and accountability. By purchasing and reporting more bugs than any other vendor-agnostic program, ZDI ensures that vulnerabilities are addressed, pushing manufacturers to take cybersecurity seriously. The reduced push back from vendors regarding vulnerability reports demonstrates the progress made in establishing a more cooperative relationship between researchers and manufacturers.

While hosting an Automotive Pwn2Own event is expensive, the benefits it brings to the industry far outweigh the costs. It provides a visible platform to showcase the security research conducted on vehicles and introduces manufacturers to the independent security researcher community, which can help identify vulnerabilities and contribute to their resolution. This event marks a significant opportunity for the automotive industry to strengthen its cybersecurity practices and protect consumers from potential threats.

Advice for the Automotive Industry

The automotive industry should take the Automotive Pwn2Own event as an opportunity to reassess and improve their cybersecurity practices. To ensure the safety of their vehicles and the data transmitted within them, manufacturers should consider the following recommendations:

1. Implement Secure Development Practices:

Adopt secure development practices, such as threat modeling and secure coding guidelines, to build resilient and secure automotive systems. By integrating security into the development process, manufacturers can reduce the likelihood of introducing vulnerabilities into their products.

2. Conduct Regular Vulnerability Assessments:

Regularly assess the security of automotive systems through comprehensive vulnerability assessments. This includes both internal testing and engaging external security researchers to identify potential vulnerabilities and address them promptly.

3. Foster Collaboration with Security Researchers:

Establish channels of communication and collaboration with independent security researchers. Encourage responsible vulnerability disclosure and create bug bounty programs to incentivize researchers to report vulnerabilities directly to manufacturers.

4. Prioritize Security Education and Awareness:

Invest in cybersecurity education and awareness programs for both employees and consumers. By educating employees about secure development practices and raising awareness among consumers about the cybersecurity risks associated with connected vehicles, manufacturers can create a more secure ecosystem.

5. Regularly Update and Patch Software:

Ensure that software systems and components in vehicles are regularly updated and patched to fix known vulnerabilities. Timely software updates are essential in mitigating the risk of exploitation by threat actors.

By implementing these recommendations, the automotive industry can strengthen its cybersecurity posture and build more secure vehicles. The Automotive Pwn2Own event should serve as a catalyst for change, driving manufacturers to prioritize cybersecurity and collaborate with the security research community to protect vehicles and their occupants.