Pwn2Own Automotive 2024 - Day Two Results
January 24, 2024 | Dustin ChildsWelcome to Day Two of the first ever Pwn2Own Automotive. We awarded $722,500 yesterday for 24 unique 0-days. Today’s attempts promise to be just as exciting, with another Tesla attempt at 1300 Japan Standard Time (GMT +9). As always, we’ll be updating this blog with results as we have them.
BUG COLLISION
-- Team Tortuga successfully used a 2-bug chain against the ChargePoint Home Flex. However, the exploit used was previously known. They still earn $15,000 and 3 Master of Pwn Points.
SUCCESS - The Midnight Blue / PHP Hooligans team used a 3-bug chain to exploit the Phoenix Contact CHARX SEC-3100. They earn $30,000 and 6 Master of Pwn Points.
BUG COLLISION - Computest Sector 7 successfully executed their attack against the JuiceBox 40 Smart EV Charging Station. However, the bug they used was previously known. They still earn $15,000 and 3 Master of Pwn Points.
FAILURE - Sina Kheirkhah was not able to get his exploit of the Autel MaxiCharger AC Wallbox Commercial working in the time allotted.
SUCCESS - The Synacktiv team used a 2-bug chain to attack the Tesla Infotainment System. They earn $100,000 and 10 Master of Pwn Points.
SUCCESS - NCC Group EDG successfully used a 2-bug chain against the Alpine Halo9 iLX-F509. They earn $20,000 and 4 Master of Pwn Points.
FAILURE - PCAutomotive’s attempt to exploit the JuiceBox 40 Smart EV Charging Station was unsuccessful.
BUG COLLISION - Katsuhiko Sato successfully executed his attack against the Sony XAV-AX5500. However, the bug he used was previously known. He still earns $10,000 and 2 Master of Pwn Points.
SUCCESS - Synacktiv used a 3-bug chain to exploit Automotive Grade Linux. They earn $35,000 and 5 Master of Pwn Points.
SUCCESS - Le Tran Hai Tung used a 2-bug chain against the Alpine Halo9 iLX-F509. He earns $20,000 and 4 Master of Pwn Points.
WITHDRAWN - Sina Kheirkhah withdrew his entry against the EMPORIA EV Charger Level 2. Penalty: -3 Master of Pwn Points.
WITHDRAWN - Team Cluck withdrew their entry against Automotive Grade Linux. Penalty: -2.5 Master of Pwn Points.
SUCCESS / BUG COLLISION - Computest Sector 7’s 2-bug chain against the Autel MaxiCharger AC Wallbox Commercial was a success. However, one of the bugs used was previously known. They still earn $22,500 and 4.5 Master of Pwn Points.
FAILURE - Sina Kheirkhah was not able to get his exploit of the Alpine Halo9 iLX-F509 working in the time allotted.
FAILURE - Alex Olson was not able to get his exploit of the Phoenix Contact CHARX SEC-3100 working in the time allotted.
SUCCESS - fuzzware.io used a 2-bug chain to exploit the ChargePoint Home Flex. They earn $30,000 and 6 Master of Pwn Points.
SUCCESS - The Midnight Blue / PHP Hooligans team used a stack-based buffer overflow to exploit the Autel MaxiCharger AC Wallbox Commercial. They earn $30,000 and 6 Master of Pwn Points.
BUG COLLISION - fuzzware.io used a 2-bug chain to successfully exploit the Alpine Halo9 iLX-F509. However, the exploits used were previously known. They still earn $10,000 and 2 Master of Pwn Points.
SUCCESS - RET2 Systems used a stack-based buffer overflow to exploit the JuiceBox 40 Smart EV Charging Station. They earn $30,000 and 6 Master of Pwn Points.
BUG COLLISION - fuzzware.io used a 2-bug chain to attack the Autel MaxiCharger AC Wallbox Commercial. However, both bugs were previously known. They still earn $15,000 and 3 Master of Pwn Points.
That’s a wrap for Day 2 of Pwn2Own Automotive. We’ve already awarded over $1,000,000 in prizes this week (¥150 million!) Tune back in tomorrow here or across social media for the final day of the contest!