Today at the Automotive World conference in Tokyo, Japan, I presented a talk in the Cyber Security from the Perspectives of Hackers and Automakers track. During this presentation, I announced the ZDI will host a new Pwn2Own contest focused on automotive systems – Pwn2Own Automotive. This contest will be held at next year’s Automotive World in January 2024. Tokyo has hosted many Pwn2Own competitions in the past, and we’re excited to return with a new event focusing solely on automotive components and technologies. In doing this, we have three primary goals for the contest:
1. Provide an avenue to encourage automotive research. We want to offer a place where researchers can submit and be financially rewarded for reports targeting various products and platforms.
2. Incentivize vendors to participate in the security research community. We want to connect our global community of security researchers with automotive manufacturers to help improve their security and resiliency.
3. Bring a focus to the sub-components of a vehicle. Rather than looking at the vehicle as a monolithic unit, we want to bring attention to the multiple complex systems that comprise a modern automobile.
A car isn’t just a car; it’s a system of systems. Classically speaking, you could break these down into components like steering, brakes, transmission, and cooling. In the past, electrical just meant getting spark to the engine and power to the lights. In modern cars, these systems are increasingly complex. Whether it’s the on-board diagnostics (OBD), the Telematics Control Unit for vehicle tracking, the Advanced Driver-Assistance System (ADAS), and even the in-vehicle infotainment system, these components represent increased computing power – and increased attack surface.
We will be providing the rules for this contest shortly after the Pwn2Own Vancouver event in March. It is our goal to work with vendors to ensure we have the appropriate targets available. During my talk, I encouraged automotive vendors to reach out to us if they wish to participate, and we hope to hear from many. We’ve already spoken with several and know that we will have EV charging stations and various infotainment systems at the event. We’ll also be including open-source components commonly found is different vehicle systems. We hope these partnerships improve the security of vehicles. We’ve had great success at other Pwn2Own contests, increasing the security of products in areas such as enterprise software and ICS technologies. We wish to do the same with automobiles and their subsystems.
Starting in 2007, Pwn2Own has brought together researchers and vendors to find the latest in vulnerabilities and exploit techniques. Over the years, security mitigations like Isolated Heap, Enhanced Protected Mode, MemGC, and Win32K module isolation can all trace their roots back to exploits demonstrated at a Pwn2Own event. One of the goals of the contest is to find and fix bugs before they are exploited by attackers. Another is to bring together world-call researchers and vendors to discuss the current state of vehicle security and strategize ways to improve it.
We hope to see many researchers demonstrating their exploits next year, and we hope you’ll join us in Tokyo as launch the inaugural Pwn2Own Automotive. We’ll be posting updates regarding this competition throughout the year detailing the exact targets to be included in the event. Follow us on Twitter, Mastodon, LinkedIn, and Instagram for the latest updates on what should be an exciting event.
Written by admin
ZDI-23-341: Schneider Electric IGSS openReport Improper Input Validation Remote Code Execution VulnerabilityMarch 16, 2023This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
ZDI-23-340: Schneider Electric IGSSdataServer Exposed Dangerous Function Data Deletion VulnerabilityMarch 16, 2023This vulnerability allows remote attackers to delete application-level data on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability.
ZDI-23-339: Schneider Electric IGSS IGSSdataServer Exposed Dangerous Function Remote Code Execution VulnerabilityMarch 16, 2023This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. Authentication is not required to exploit this vulnerability.