Dozens of vulnerabilities have been discovered in vehicle charging systems, in-car entertainment technology, and modem subsystems from the world's largest auto suppliers, including Tesla.
The vulnerabilities, around 50 in total, were discovered thanks to the Pwn2Own Automotive hacking competition held during the Automotive World Conference in Tokyo earlier this month.
First launched in 2007, the Pwn2Own concept brings together the world's leading security researchers and “white hat” hackers to find security flaws in consumer technology. As of 2019, the annual competition has added connected cars and their associated infrastructure.
During this year's three-day challenge, the contest quickly discovered vulnerabilities in Automotive Grade Linux, ChargePoint, JuiceBox, Phoenix Contact, and Ubiquiti Connect EV Station electric vehicle chargers. In-car entertainment systems from Alpine, Pioneer, and Sony (although these tended to be aftermarket head units rather than factory-supplied devices) and Tesla car modems were also featured. According to Hackster.io, the latter provides root access. .
As the competition progressed, additional bugs were discovered in Autel and Emporia chargers, bringing the total to 49 “unique zero-day vulnerabilities” over three days. The total prize pool was $1 million, but Team Synacktiv discovered the most security flaws, so they earned the most points and secured a total prize pool of $450,000.
Vulnerability details are kept strictly confidential to maintain privacy and prevent future attacks. Information revealed by Zero Day Initiative (ZDI) organizers includes “U0K++'s Vudq16 and Q5CA successfully performed stack-based buffer overflow against Alpine Halo9 iLX-F509” It's just the content. Therefore, it is not particularly useful for the average car owner for now.
However, the detailed information becomes the property of ZDI and is then privately disclosed to each affected manufacturer, giving them the opportunity to release a patch and avoid future issues.
Analysis: Cars are a digital security nightmare
One of the most popular buzzwords in the automotive industry right now is “software-defined vehicle.” This is an umbrella term related to the proliferation of connected features found in modern vehicles.
Thanks to the increasing data transfer speeds of 4G and 5G networks, cars on today's roads can be updated remotely and can even 'talk' to existing infrastructure and other cars.
When an EV is connected to a public charging station, the vehicle, RFID card, and smartphone app used during the transaction hand over a set of ownership information, including name, email address, location, browsing history, and online behavior patterns. . Article published by his IAPP, the world's largest global information privacy community.
Adding to this, a Mozilla study found that modern cars are the “worst product category ever surveyed for privacy” due to poor data protection practices, while vulnerable infotainment systems It was revealed that some security researchers were able to access restricted vehicle features due to their gender. For example, paid premium features on Tesla or his BMW cars.
Even more worrying is the rise in vehicle thefts as criminals use sophisticated technology to mimic remote keyless systems. Canadian Prime Minister Justin Trudeau recently announced that a summit will be held next month to coordinate a national response to auto theft, which has increased rapidly across Canada in recent years.
Events like the Pwn2Own Automotive competition help expose flaws in modern vehicles and their associated digital ecosystems, but they actually scratch the surface of the privacy and security issues facing modern connected cars. I just traced it. Rather, it is further evidence that more needs to be done.