Focus on source code security and collect the latest information at home and abroad!
Compiled by: Code Guard
ZDI will host the first Pwn2Own competition focusing on automotive systems at the Global Automotive Conference in Tokyo, Japan, from January 24 to 26, 2024. ZDI announced the competition goals and prize money today. The three main goals of the competition include:
1. Provide a place to encourage automotive research. Researchers can submit vulnerability reports targeting a variety of products and platforms and receive financial rewards.
2. Incentivize manufacturers to participate in the security research community. Connect the global community of security researchers with automakers to improve vehicle safety and resiliency.
3. Focus on automotive sub-components. I hope everyone will focus on the complex systems that make up the modern automotive ecosystem rather than the car as a microcontroller.
Tesla is a partner of the competition. ChargePoint will provide the electric vehicle charging piles used in the competition. Researchers from VicOne will assist in determining the target's attack surface for electric vehicles and provide technical guidance. The tournament’s cash and bounty pool ends at $1 million. This competition allows remote participation. Players need to register before January 18, 2024 and provide a white paper explaining the utilization chain and how to operate it at the end of the registration. Like previous competitions, the order of entry will be determined by drawing lots.
The competition is divided into four categories:
Tesla
In-vehicle entertainment system (IVI)
Electric vehicle charging pile
operating system
Tesla Category
In 2019, the Pwn2Own Contest introduced a car category for the first time, and this Pwn2Own Car Contest will cover similar content. Entrants register for Tesla Model 3/Y (Ryzen-based) or Tesla S/X (Ryzen-based) equivalent desktop devices. It's also important to note that while a Tesla is one of the prizes, not all successful attempts will win a Tesla. While some goals offer additional options, to drive a Tesla, contestants will need to target the "Vehicle Included" goal category in the table.
Below is additional information about optional extras included in the target.
Players planning to participate in this category need to notify ZDI two weeks before the competition in order to coordinate hardware resources.
In-Vehicle Infotainment (IVI) Category
When looking at objects in a car system, the first thing that comes to mind is the in-vehicle infotainment (IVI) system, which can act like a radio and connect to your phone, but it can also do much more. Navigation, in-car Internet and WiFi are all provided through these devices, which can also be connected to other vehicle systems through the CAN bus, which makes IVI a target for attackers. These devices also modify existing vehicles to have modern capabilities and possibly modern vulnerabilities. This Pwn2Own car competition will provide three IVIs as target devices. Attempts in this category must target exposed services or communications protocols/physical interfaces accessible to ordinary users.
Electric charging pile category
While there is plenty of research on electric vehicles, the same cannot be said for the review of the ones we plugged into. Attack surfaces such as mobile applications, BLE connections, and OCPP protocols can allow threat actors to cause damage to electric vehicles. This competition will provide six different electric vehicle charging piles. Attack attempts must target the target's exposed services or the target's communication protocols/physical interfaces that are accessible to ordinary users.
operating system
Most people don't think about the operating systems in their cars, but if you drive a recently released Mercedes-Benz, Subaru, Mazda or Toyota, there's a good chance that these vehicles have an automotive-grade Linux system installed on them. How do these online operating systems compare to desktop operating systems? This is what the competition is about to discover. Attempts in this category must target the service/feature that is being exposed, or a communication protocol that is accessible to ordinary users.
More details can be found in the original article.
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
Pwn2Own 2023 Toronto Contest Goals and Prizes Released
Mikrotik finally fixes RouterOS vulnerability in Pwn2Own competition
VMware fixes two critical 0days discovered at Pwn2Own contest
Pwn2Own 2023 Vancouver Contest Ends and Master of Pwn is Born
Pwn2Own 2023 Miami Competition Master of Pwn is born
Original link
https://www.zerodayinitiative.com/blog/2023/8/28/revealing-the-targets-and-rules-for-the-first-pwn2own-automotive
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~