On Saturday the 28th of September, McCaulay Hudson (@_mccaulay) and Alex Plaskett (@alexjplaskett) presented at RomHack Rome “Revving Up: The Journey to Pwn2Own Automotive 2024”. In 2024 NCC EDG compromised 3 automotive devices at Pwn2Own Automotive in Tokyo to win $90,000. This talk is about the journey all the way from building and setting up research environments, finding vulnerabilities to developing exploits eligible for the competition.
A recording of the presentation can be viewed here:
https://www.youtube.com/watch?app=desktop&v=43ngR6j8en8
The full abstract for the talk presented was as follows:
Throughout this presentation we will describe our process with a deep dive into in-vehicle entertainment systems and an electric vehicle (EV) charger controller (Phoenix Contact CHARX SEC-3100).
We will reveal multiple zero-day vulnerabilities which were used to compromise these devices. EV charging security is currently a hot topic where there is expected to be over 3 million charging stations in Europe at the end of 2024 and continuously expanding.
However, most importantly we will describe our methodology and approach, allowing aspiring bug hunters to understand the trials and tribulations of vulnerability research against automotive targets. This will also allow vendors to see the amount of effort vulnerability researchers take to compromise these devices.
Our talk will include attack surface research and how we priorities finding vulnerable areas. We will also demonstrate tooling we use to speed up and automate the process. We will discuss both hardware and software attacks and the need to first perform hardware attacks to gain an understanding of the target before software only exploits could be developed to obtain remote code execution.
For fun we will also demonstrate both a light show on the CHARX device and porting and running DOOM on the Alpine IVI.
Briefly we will discuss our failures and lessons learned, to show that not everything was plain sailing with the research.
Finally, we will wrap up with conclusions and guidance to both automotive manufacturers and prospective hacking competition participants.