Skip to content(if available)orjump to list(if available)

Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025

Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025

11 comments

·January 23, 2025
Visit

some_random

Actual results here: https://www.zerodayinitiative.com/blog/2025/1/21/pwn2own-aut...

Edit: Day 2 - https://www.zerodayinitiative.com/blog/2025/1/22/pwn2own-aut...

nerdbeere

> While Tesla also provided a Model 3/Y (Ryzen-based) equivalent benchtop unit, contestants have only registered attempts against the company's wall connector.

Can someone provide more context on what this means? Does it imply that it’s not an interesting target, or does it mean that it’s well-tested and secure?

wffurr

This is just the first day. From reading the article, seems like they went after the easier targets first.

some_random

The wall connector definitely isn't considered as interesting as the vehicle itself, although tangentially there's been more focus on chargers lately.

xnx

This seems like great work. Are there any practical implications like being able to flash my car with Android Auto or turn off telemetry?

TheJoeMan

Can anyone in the industry enlighten me to the drive for putting a full OS into a vehicle charger? If you've been watching Phoenix Contact, they are going all in on marketing their EV charger controllers and such. I'm just not seeing what additional functionality they are leveraging vs. an embedded system?

hulitu

> Can anyone in the industry enlighten me to the drive for putting a full OS into a vehicle charger?

Price ?

"Look, the software is tested by the OS maker. We only need to develop and test this tiny programm"

There is an entire industry of blame shifting.

TheJoeMan

I can see the reduced time to market. I ask because in my field my taste of dealing with hospital IT-compliance-checkbox “security” is that disclosing that your device contains an OS in it, somewhere, means a lot of paperwork and you will get calls anytime bad mention of that OS is in the news. These vehicle chargers are supposed to be installed in nowhere Kansas and not touched for 10 years and that seems the opposite of shipping Windows IoT.

teunispeters

This one's easy : v2g with plug-n-charge needs full crypto including some levels of validation (but not others, it's in the specs), as well as infrastructure for organizing certificates, and support for a good IPv6 networking stack (stack is IPv6 only). Wireless support with WPA3/Enterprise is also essential.

I mean it's doable on some embedded platforms, but it's still a pretty large stack of requirements.

There's an additional gotcha that all the prototypes are either java or python. Doesn't seem like any of the others (rust, C) have completely caught up with handling the data and EXI layers. (embedded XML).

I work on V2G now.

loa_in_

Reminds me of the story about trains. We really need these things to get hacked, and also someone who customers of businesses that employ shady software practices, not unlike disabling trains that enter competitors' repair shop, to have a way to see through the practices and maybe pursue legal claims.

null

[deleted]