The Zero Day Initiative (ZDI) will host a new Automotive Pwn2Own at the Automotive World Conference in Tokyo, January 24 to 26, 2024.
Something new was inevitable. Left untouched, anything will eventually go stale; and prevention is always easier than cure. Automotive is also probably inevitable. Trend Micro owns ZDI and operates the Pwn2Own competitions. It also acquired VicOne, an automotive cybersecurity specialist, in 2018, allowing Trend to expand its own automotive cybersecurity offerings.
There are other reasons that make an Automotive Pwn2Own an attractive choice. SecurityWeek spoke to Dustin Childs, head of threat awareness at ZDI.
Childs traces the inspiration back to the 2019 Pwn2Own in Vancouver. Tesla brought a Model 3 to the hotel and allowed contestants to attempt to hack it. “A car isn’t just a car anymore,” said Childs; “it’s a system of systems.” An important part of this is the infotainment system, which brings the outside world — notably the internet — into the heart of the vehicle.
“You wouldn’t think you can hit the transmission from the same place you use to search for cheap gas — but you can.” So ZDI’s interest grew. “We want to understand the full attack surface of the modern vehicle. They’re becoming more and more autonomous and more and more pervasive, with new connected features continually being added by the manufacturers.”
Multiple software systems widely used by both consumers and businesses is the perfect subject for Pwn2Own. Childs admitted that he would like to do a Pwn2Own on healthcare equipment, but the logistics don’t work. “For automotive, I can put an Alpine head unit into a contest, and make sure that researchers around the world have access to an Alpine head unit —or Sony head units, or a Charge Point EV charger. I can’t get medical robots into the hands of security researchers for them to take months to look at and really do something. Until I can figure some way to ship surgical robots to Senegal, and Vietnam and France, it’s just going to have to wait.”
Shipping a complete car to contestants is obviously too much. “But if you’re a vetted hacker, and you say and we believe, you have some good stuff to attack an EV charger, we’ll get and ship you an EV charger. We trust you will eventually send it back, even if we don’t trust the charger when you do.” On this argument, maybe we could see a Connected Home Pwn2Own before we see a Healthcare Pwn2Own.
Automotive Pwn2Own is expensive. The costs are largely funded by Trend Micro. “We do approach a couple of vendors to be co-sponsors and put up a little money,” he said. “Tesla is a co-sponsor for this event. We approached a few others to be co-sponsors, but they declined. Charge Point is providing some of the hardware for us gratis, which is very nice. But it’s basically all our money. So, yeah, it’s expensive, but we enjoy it.”
He cites two specific advantages that have come out of the Pwn2Own program: its effectiveness as a form of bug bounty activity; and its influence in protecting independent research. On the first, “When you look at vendor agnostic [bug bounty] programs across the board, we are purchasing and reporting more bugs than anyone else in the industry. And we hold the vendor to account. Vendor specific bug bounties don’t mean the vendor is fixing the bugs. The bug bounty platforms are also very cagey with how many bugs they actually purchase. They’re very big with how much money their customers have spent, but not so much how many bugs they’ve purchased.”
For protecting the activity of whitehat researchers, Childs comments on the reduction of push back from vendors. “ZDI has been operating since 2005,” he said. In the early days, it would get legal threats when it reported bugs. “These days, it still occurs but much less frequently, probably two or three times a year. And at this point, it kind of makes us laugh, because we’ve been doing it so long. We know the laws better than they do and have helped influence some of them.”
Established Big Tech – the Googles, Microsofts and Apples of the world – understand the value of researchers reporting bugs to them. “The automotive community has yet to learn this, and this is the bridge that we’re really hoping to build,” said Childs. “Obviously, we want to see some really cool hacks. We think we’re going to have probably more than 10 but less than 20 exploits at the show. We’ll see if that comes to fruition. But what we’re really looking to do is to show the automotive community that there’s people out there who are able to look at their stuff, find problems, and help to get them fixed rather than exploit them for their own personal gain.”
For Automotive Pwn2Own, he summarizes, “There’s a lot of security research into vehicles, but most of it is behind closed doors and not really talked about. We want to bring that research into the light and really connect the security research community with the automotive community. Right now, the automotive community is not taking advantage of what we consider to be a great resource, which is the independent security researcher community around the globe. Let the researchers find the bugs and report them, and then the manufacturers can fix them before they get exploited. That’s what we try to do and Pwn2Own is a way for us to kind of make those connections.”
The arguments, of course, apply to all Pwn2Own competitions – but here, perhaps for the first time, they are focused on the connected car.