49 Zero-Day Exploits Found in 3 Days of Hacking Earns a Reward of US$886,250
|
NEWS
|
The Pwn2Own Automotive 2025 hacking contest concluded on January 23, and over 3 days of efforts, hackers and researchers exposed 49 zero-day exploits (i.e., a vulnerability that has no known fix and is/was unknown to the vendor, so they have “zero days” to develop a solution). The event, hosted by VicOne and Trend Micro in partnership with Tesla, is a competition built to expose and address vulnerabilities in connected car technologies, across Electric Vehicle (EV) charging, In-Vehicle Infotainment (IVI) systems, Operating Systems (OSs), and Tesla vehicles. This year, exploits discovered include: bugs in a ChargePoint EV charger, a Sony IVI system, a Tesla Wall Connector, and Automotive Grade Linux (AGL), among many others.
The scale of vulnerabilities discovered in such a short time is of little surprise—in 2024, 530 automotive-related vulnerabilities were published, and cyberattacks caused over US$22 billion in damages. The growth in the connected attack surface in a vehicle greatly increases the risks of security breaches, and automotive stakeholders are scrambling to adjust their processes, integrate new technologies and standards, and predict emerging threats. While stakeholders are mostly aligned on the grave need for reform in automotive cybersecurity, this attitude is not universal. One exploit discovered was for an Alpine IVI system, but it was not patched because “in accordance with ISO21434...the vulnerability is classified as ‘Sharing the Risk’.” While regulation can prompt some agents to take note of cybersecurity risks, such as WP.29, proactive engagement in the cybersecurity process is needed to address the risks to business that vulnerabilities can expose.
As Connectivity Spreads, Security Must Become the Priority
|
IMPACT
|
Innovations in Software-Defined Vehicles (SDVs), such as the integration of Artificial Intelligence (AI) features, which are intended to enhance the vehicle experience can, and often do, also increase the risk of cybersecurity breaches. The attack surface has grown quickly to include the telematics system, IVI, EV chargers, keyless entry systems, and several potential breaches throughout the supply chain through Over-the-Air (OTA) updates or other connectivity-dependent features.
Collaborative initiatives such as Pwn2Own play an important role in the automotive cyber ecosystem by collecting the expertise of leading security researchers and incentivizing their work. This allows vendors with solutions that are breached during the event to rectify mistakes in their solutions, and prompts them to proactively strengthen their solution’s resilience. ABI Research’s Automotive Cybersecurity: Securing Vehicle Functions report (AN-6234) details the evolving threat landscape for the automotive industry, and distinguishes the roles of different enabling technologies/practices for cybersecurity, such as Intrusion Detection and Protection Systems (IDPS), Vehicle Security Operations Center (VSOC) platforms, and threat intelligence. However, current attitudes about cybersecurity diminish the potential of these tools, as development teams and executive decision makers have often been noted to view them as a hurdle or obstacle to quick, efficient development and deployment. Tightly integrated partnerships with experienced cybersecurity specialists or adept Tier Ones are needed to address the problem, to build tools and processes that can stand the test of time across development, deployment, and maintenance. To make their desires for connected services revenue a mature reality, all Original Equipment Manufacturers (OEMs) will eventually need to take this step.
Preparing for a Post-Quantum World
|
RECOMMENDATIONS
|
With the 12 to 15-year lifecycle of vehicles, future risks become a critical issue to address. Their unpredictability, and the growing complexity and amount of software in emerging SDVs, with new features like the previously mentioned AI, require OEMs to account for the looming threat of Post-Quantum Cryptography (PQC). Many OEMs are already including this in their Requests for Quotation (RFQs) for cybersecurity services.
Further, the acceleration of innovation with open-source and standardized solutions, which can lead to singular vulnerabilities exposing multiple supply chains, poses a significant threat. For example, the AGL exploit discovered at Pwn2Own has the potential to affect millions of vehicles across several OEMs in several regions. A similar consequence arises from the interconnected automotive supply chain, exemplified by the fact that 40% of cyberattacks in automotive in 2023 targeted multiple OEMs. This can go through the infotainment silicon chip supplier, the Tier One, a cloud service provider, etc.
The cyber solution stacks alone cannot deal with these threats, no matter how much AI support or acceleration is provided. In an industry where OEMs are often susceptible to the “silver bullet” trap when addressing cybersecurity, their partners have to ensure they enable them with a robust security risk management framework that addresses a vehicle’s entire lifecycle. A “ship and forget” solution is not feasible in the age of ubiquitous connectivity, AI, and quantum compute. Regular collaboration through events like Pwn2Own, continuous threat intelligence, and application of tools like VSOC platforms with AI enhancement are all needed under the guiding hand of experienced cybersecurity researchers to ensure the safety of the automotive ecosystem.
