Pwn2Own Puts the Pedal to the Metal with New Automotive Competition, Boasting $1 Million in Prizes
Crack a Tesla's computer, an in-vehicle infotainment system, or an electric charger, and you could be driving home in style.
The Pwn2Own contest, which sees security researchers invited to find vulnerabilities in a range of consumer products, is making the jump across to automotive — and the rules of the game are now live, ahead of the contest opening in January 2024.
"Earlier this year, I announced the ZDI [Zero Defense Initiative], along with our cohorts at VicOne, will host a new Pwn2Own contest focused on automotive systems – Pwn2Own Automotive – at the upcoming Automotive World conference in Tokyo, Japan, held on January 24th – 26th, 2024," writes ZDI lead Brian Gorenc. "We have more than $1,000,000 USD in cash and prizes available, and we can’t wait to see what researchers bring to demonstrate in Tokyo."
The Pwn2Own contests first opened in April 2007, asking contestants to find vulnerabilities in Apple products — and giving successful entrants, on top of cash prizes provided by ZDI for previously-unknown zero-day vulnerabilities, the products in question, hence the name.
Over the years, the scope of Pwn2Own has expanded from Apple products to include Windows and Linux systems, web browsers, and in 2019 introduced its first automotive category. The new dedicated automotive spin-off comes with a prize pool valued at $1,000,000 and includes a partnership with Tesla on electric vehicles and ChargePoint on chargers for same. The competition, Gorenc explains, will be split into four categories: Tesla as a whole-vehicle target, in-vehicle infotainment (IVI) systems, electric vehicle chargers, and operating systems.
The physical targets themselves include either a bench-top unit designed to mimic those inside Tesla Model 3/Y or Tesla Model S/X electric vehicles, Sony, Alpine, and Pioneer IVI systems, ChargePoint, Phoenix Contact, Emporia, JuiceBox, Autel, and Ubiquiti chargers, and Automotive Grade Linux, Blackberry QNX, and Android Automotive operating systems.
"We can't wait to see what researchers bring to demonstrate in Tokyo," Gorenc says, before noting that "we know not everyone can make it to Automotive World, so we will allow remote participation similar to other events." The order of entrants' attempts are chosen at random, with the first successful attack in a given category taking home the full cash prize and subsequent attacks lesser payouts — but all earning points towards the "Master of Pwn" award at the end of the event.
More details are available on the Zero Day Initiative blog; registration is open now, and will close on January 18 2024.
