On the final day of Pwn2Own Automotive 2024 – Day 3, researchers were granted $1,323,750 in rewards for identifying 49 distinct zero-days.
The first-ever Pwn2Own Automotive event has concluded! Synacktiv wins the Master of Pwn Trophy, earning 50 Master of Pwn Points and a $450,000 prize. Particularly, the infotainment system and modem of Tesla were attacked by the Synacktiv team, and each vulnerabilityearned $100,000.
The first ever #Pwn2Own Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to @synacktiv, the Masters of Pwn! Stay with us here and at the ZDI blog as we prepare for Pwn2Own Vancouver in March. pic.twitter.com/ov2B1rtA8c
— Zero Day Initiative (@thezdi) January 26, 2024
Pwn2Own Day 3
Computest Sector 7 exploited the ChargePoint Home Flex by using a 2-bug chain. They get six Master of Pwn Points and $30,000.
The Sony XAV-AX5500 was compromised by Synacktiv. Together with four Master of Pwn Points, they receive $20,000.
Sina Kheirkhah exploited the Ubiquiti Connect EV by using a 2-bug chain. Six Master of Pwn Points and $30,000 are his earnings.
Connor Ford of Nettitude exploited the JuiceBox 40 Smart EV Charging Station by using a stack-based buffer overflow. Six Master of Pwn Points and $30,000 are his earnings.
Confirmed! Connor Ford (@ByteInsight) of Nettitude used a stack-based buffer overflow in his exploit of the JuiceBox 40 Smart EV Charging Station. #Pwn2Own pic.twitter.com/xLBSGnnFFI
— Zero Day Initiative (@thezdi) January 26, 2024
The EMPORIA EV Charger Level 2 was exploited by fuzzware.io via a buffer overflow. Six Master of Pwn Points and $60,000 are their earnings.
Success! Tobias Scharnowski (@ScepticCtf) and Felix Buchmann of https://t.co/ELqV0E3vQ5 used a buffer overflow to exploit the EMPORIA EV Charger Level 2. They earn $60,000 and 6 Master of Pwn Points. #Pwn2Own pic.twitter.com/H3BphVAlfy
— Zero Day Initiative (@thezdi) January 26, 2024
Highlights of the Day 1 of Pwn2Own Automotive’s research participants received awards totaling over $700,000. Sina Kheirkhah earned $60,000 by successfully launching his attack on ChargePoint Home Flex.
A 2-bug chain was carried out by Synacktiv against the JuiceBox 40 Smart EV Charging Station and $60,000 is their earnings. Using a UAF exploit, the PCAutomotive Team was able to successfully target the Alpine Halo9 iLX-F509 and earn $40,000.
Highlights from Day 2 of Pwn2Own Automotive: Over $1 million in rewards were offered to researchers. Using a 3-bug chain, the PHP Hooligans and Midnight Blue team exploited the Phoenix Contact CHARX SEC-3100 and earned $30,000.
Synacktiv exploited Automotive Grade Linux by using a 3-bug chain and earned $35,000. fuzzware.io exploited the ChargePoint Home Flex with a two-bug chain and received $30,000 rewards.
ZDI is currently getting ready to host Pwn2Own Vancouver 2024, which is scheduled for March 20 to 22 in Vancouver, Canada. Over $1 million will be awarded in prizes for that event.
You can view the detailed itinerary of the highly competitive contest by following this link. Furthermore, a thorough summary of the Pwn2Own Automotive 2024 Day 3 results is available here for your reference.
Related Read
