Revealing the Targets and Rules for the First Pwn2Own Automotive

If you just want to read the rules, you can find them here.

Earlier this year, I announced the ZDI, along with our cohorts at VicOne, will host a new Pwn2Own contest focused on automotive systems – Pwn2Own Automotive – at the upcoming Automotive World conference in Tokyo, Japan, held on January 24th – 26th, 2024. Today, we are releasing the targets and payouts for this inaugural event. As a reminder, we have three primary goals in hosting this event:

1.     Provide an avenue to encourage automotive research. We want to offer a place where researchers can submit and be financially rewarded for reports targeting various products and platforms.
2.     Incentivize vendors to participate in the security research community. We want to connect our global community of security researchers with automotive manufacturers to help improve their security and resiliency.
3.     Bring a focus to the sub-components of a vehicle. Rather than looking at the vehicle as a monolithic unit, we want to bring attention to the multiple complex systems that comprise a modern automobile ecosystem.

We’re also excited to announce Tesla will partner with us on this event. They have worked with us extensively for our Pwn2Own Vancouver event, and we rely on their guidance and understanding of the complexities of electric vehicles (EV). We’re also grateful that ChargePoint decided to provide their EV chargers to use during the contest. The researchers from VicOne have also been essential in helping to determine targets and providing technical guidance on EV attack surfaces. We have more than $1,000,000 USD in cash and prizes available, and we can’t wait to see what researchers bring to demonstrate in Tokyo. However, we know not everyone can make it to Automotive World, so we will allow remote participation similar to other events. You will still need to register before the contest deadline (January 18, 2024) and submit your entry, a detailed whitepaper completely explaining your exploit chain and instructions on how to run the entry by the end of the registration period. If you plan on participating remotely, you will need to contact us even earlier the ensure we put you in the best position for success. We recommend two weeks prior to the deadline at the very latest.

As with other Pwn2Own events, we’ll have a random drawing to determine the schedule of attempts prior to the contest, and we will proceed from there. As always, if you have questions, don't hesitate to get in touch with us at pwn2own@trendmicro.com. We will be happy to address your issues or concerns directly.

Now on to the four categories we’ll have for the first Pwn2Own Automotive contest:

Tesla Category 

We introduced the Automotive Category at Pwn2Own Vancouver in 2019, and Pwn2Own Automotive wouldn’t be complete without something similar. Earlier this year, the team from Synacktiv combined multiple exploits to target a combination of systems. It will be interesting to see what researchers bring to Tokyo. Contestants can register an entry against either a Tesla Model 3/Y (Ryzen-based) or Tesla Model S/X (Ryzen-based) equivalent bench top unit.  Also note that while a Tesla is available as a prize, not every successful attempt will win the vehicle itself. Some of the targets have add-ons available, but to drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below:

Here’s some additional info on the optional add-ons that are included in targets:

Previous exploits in this category have provided highlights of past events, and we’re hopeful we’ll see something similar in Tokyo. If you are going to participate in this category, please notify us at least two weeks before the event so we can source the hardware in time for the contest.  

When we started looking at targets within an automotive system, one of the first things we thought of was the first thing we looked at – the In-Vehicle Infotainment (IVI) system. These serve as radios and connect with our phones, but they do so much more as well. Navigation, in-car internet, and Wi-Fi are provided through these devices, but they also server a connection to other vehicle systems through the CAN bus – making them a ripe target for attackers. These devices are also retrofitted to existing vehicles to modern capabilities – and perhaps modern vulnerabilities as well. For our first Pwn2Own Automotive contest, we’ll have three IVI devices to target. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols/physical interfaces that are accessible to a typical user.

There’s been a fair amount of research into the security of EVs, but there hasn’t been as much scrutiny around what we plug into an EV. Attack surfaces such as mobile apps, Bluetooth Low Energy (BLE) connections, and the OCPP protocol could all allow threat actor to cause harm to an EV. For this event, we’ll have six different EV Chargers available as targets. An attempt in this category must be launched against the target's exposed services or against the target’s communication protocols/physical interfaces that are accessible to a typical user.

Most don’t think of operating systems within their car, but if you drive a recent Mercedes, Subaru, Mazda, or Toyota, there’s a good chance you’re also driving something with Automotive Grade Linux installed. How do these onboard OSes compare to their desktop counterparts? That’s what we aim to discover. An attempt in this category must be launched against the target's exposed services/features or launched against the target’s communication protocols that are accessible to a typical user.

Master of Pwn

No Pwn2Own contest would be complete without crowning a Master of Pwn, which signifies the overall winner of the competition. Earning the title results in a slick trophy, a different sort of wearable, and brings with it an additional 65,000 ZDI reward points (instant Platinum status in 2025).

For those not familiar with how it works, points are accumulated for each successful attempt. While only the first demonstration in a category wins the full cash award, each successful entry claims the full number of Master of Pwn points. Since the order of attempts is determined by a random draw, those who receive later slots can still claim the Master of Pwn title – even if they earn a lower cash payout. As with previous contests, there are penalties for withdrawing from an attempt once you register for it. If the contestant decides to remove an Add-on Bonus during their attempt, the Master of Pwn points for that Add-on Bonus will be deducted from the final point total for that attempt.

The Complete Details

The full set of rules for Pwn2Own Automotive 2024 can be found here. They may be changed at any time without notice. We highly encourage potential entrants to read the rules thoroughly and completely should they choose to participate. We also encourage contestants to read this blog covering what to expect when participating in Pwn2Own.

Registration is required to ensure we have sufficient resources on hand at the event. Please contact ZDI at pwn2own@trendmicro.com to begin the registration process. (Email only, please; queries via social media, blog post, or other means will not be acknowledged or answered.) If we receive more than one registration for any category, we’ll hold a random drawing to determine the contest order. Registration closes at 5:00 p.m. Japanese Standard Time on January 18, 2024.

The Results

We’ll be blogging and tweeting results in real-time throughout the competition. Be sure to keep an eye on the blog for the latest information. Follow us on Twitter at @thezdi and @trendmicro, and keep an eye on the #P2OAuto hashtag for continuing coverage.

We look forward to seeing everyone in Tokyo and online, and we look forward to seeing what new exploits and attack techniques they bring with them.

With special thanks to our Pwn2Own Automotive 2024 partners, Tesla, for providing their assistance and technology and to ChargePoint for providing hardware to use during the event. Thanks also to the researchers from VicOne for their guidance and recommendations.

©2023 Trend Micro Incorporated. All rights reserved. PWN2OWN, ZERO DAY INITIATIVE, ZDI, and Trend Micro are trademarks or registered trademarks of Trend Micro Incorporated. All other trademarks and trade names are the property of their respective owners.