Connect with us

Hi, what are you looking for?


IoT Security

Over $1 Million Offered at New Pwn2Own Automotive Hacking Contest

ZDI is offering more than $1 million at the Pwn2Own Automotive hacking contest, hosted in January at the Automotive World conference in Tokyo.

Tesla cars exposed by misconfigured TeslaMate

The Zero Day Initiative (ZDI) this week announced that it will be offering more than $1 million in cash and prizes at Pwn2Own Automotive, the first Pwn2Own hacking contest focused on car systems.

The competition will be hosted at the Automotive World conference, which is scheduled for January 24 – 26, 2024, in Tokyo, Japan.

Interested security researchers have until January 18 to register for the contest and submit an entry, consisting of “a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry”, ZDI has announced.

The same as with other similar events, ZDI is allowing remote participation to Pwn2Own Automotive, on the basis that not all researchers will be able to attend the conference.

“If you plan on participating remotely, you will need to contact us even earlier to ensure we put you in the best position for success. We recommend two weeks prior to the deadline at the very latest,” ZDI says.

The first Pwn2Own Automotive will have four categories, namely Tesla, in-vehicle infotainment (IVI), electric vehicle chargers, and operating systems.

Contestants participating in the first category can register “an entry against either a Tesla Model 3/Y (Ryzen-based) or Tesla Model S/X (Ryzen-based) equivalent bench top unit”, ZDI says.

Advertisement. Scroll to continue reading.

The highest prize in this category is $200,000, for exploits targeting the vehicle’s autopilot, gateway, or VCSEC, followed by a $100,000 reward for ethernet exploits targeting the autopilot and gateway. A Tesla car is available as an additional prize in both cases.

Researchers may also earn optional add-on rewards for exploits targeting the CAN bus, or which can achieve root persistence on the autopilot or on the vehicle’s infotainment system.

In the second category, contestants may earn $40,000 prizes for exploits targeting three IVI devices from Sony, Alpine, and Pioneer.

There will be six different devices (from ChargePoint, Phoenix Contact, Emporia, JuiceBox, Autel, and Ubiquiti) available as targets in the electric vehicle chargers category, with prizes of up to $60,000 for valid exploits.

In both categories, the exploits should target the device’s exposed services, or the communication protocols and physical interfaces that a typical user can access.

In the operating systems category, researchers can earn prizes of $50,000 for exploits targeting Automotive Grande Linux, BlackBerry QNX, and Android Automotive OS.

“An attempt in this category must be launched against the target’s exposed services/features or launched against the target’s communication protocols that are accessible to a typical user,” ZDI explains.

Security researchers interested in participating in the Pwn2Own Automotive 2024 contest are encouraged to read the full set of rules and ZDI’s blog post on what participating in Pwn2Own involves.

Related: Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own

Related: VMware Patches Critical Vulnerability Disclosed at Pwn2Own Hacking Contest

Related: Hackers Earn Over $1 Million at Pwn2Own Exploit Contest

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...

IoT Security

Vulnerabilities in electric vehicle charging management systems can be exploited for DoS attacks and to steal energy or sensitive information.

IoT Security

Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV...