Car Hacker’s Adventures in Wonderland – Cansecwest 2024 Journey

This year, I had the opportunity to attend the Cansecwest conference in Vancouver. For those unfamiliar with the event, Cansecwest is a renowned cybersecurity conference known for its focus on technical security talks and cutting-edge Dojo training. One of its highlights is the Pwn2Own, an esteemed hacking competition held annually.

During Pwn2Own researchers showcase their skills by identifying and exploiting vulnerabilities in various software, IoT devices, SCADA systems, and even automotive devices like Tesla cars. Organized by the Zero Day Initiative, Pwn2Own offers substantial cash prizes for successful exploits, making it a much-anticipated event within the Cybersecurity community. In this blog post, I’ll share my insights from the perspective of a car security researcher at this unique event.

Day 1: Pwn2Own – Tesla

The Pwn2Own competition kicked off with a series of typical targets, including Adobe Reader, Windows 11, Ubuntu Linux, and Oracle VirtualBox. Notably, Kyle Zeng from ASU SEFCOM leveraged a tricky race condition to escalate privileges on the Ubuntu Linux desktop, earning him a reward of $20,000 USD.

Tesla has been actively supporting bug bounty programs, including providing the Model 3 as a target for Pwn2Own since 2019. Throughout the years, numerous researchers and teams have tried to exploit the Tesla Model 3. The Synacktiv team from France has notably excelled in Pwn2Own Tesla competitions, winning for the second time in 2024. They used a single integer overflow to exploit the Tesla ECU with Vehicle (VEH) CAN BUS Control.

The only less entertaining aspect is that they couldn’t demonstrate the bug in a real Model 3 like they used to for the safety reason. Instead, they used a signal shield case since their exploit is sent through Bluetooth.

Still they won $200,000 USD and a new Tesla Model 3. Job well done.

Day 2-3: Pwn2Own Continues and Presentations

On Day 2, the final day of the Pwn2Own competition, ZDI awarded a total of $1,132,500 for 29 unique zero-day vulnerabilities. This year was dubbed the “return of the browser.” Researcher Manfred Paul utilized an Out-of-Bounds Write for Remote Code Execution and exploited an exposed dangerous function bug to achieve sandbox escape in Mozilla Firefox.

Additionally, on Day 1, he utilized a single exploit that targeted both Chrome and Edge, along with integer underflow bugs to exploit Apple Safari. Manfred Paul’s remarkable exploits earned him the title of Master of Pwn and a total prize of $202,500 USD.

On days 2-3 of the conference, there was a flurry of captivating presentations focused on system and automotive security. While some talks may not have been directly related to cars, they are worth mentioning because I believe persistence is key in security research. Moreover, the techniques discussed in these talks may be leveraged as attack vectors for cars.

Yuhao Jiang (@danis_jiang) from Ant Group Light-Year Security Lab delivered a talk titled “URB Excalibur: The New VMware All-Platform VM Escapes”. In his presentation, he shared his insights and experiences on leveraging the virtual USB controller as the primary attack surface of a hypervisor to facilitate virtual machine escapes.

Matthew Alt, a hardware security researcher and founder of VoidStar Security LLC, delivered a talk titled “Glitching in 3D: Low-Cost EMFI Attacks.” 

This presentation describes the utilization of open-source tools to perform an EMFI attack on an STM32F4 microcontroller, enabling a full RDP (read-out-protection) bypass via a targeted EMP. Further details can be found on his website (https://voidstarsec.com/csw-2024/).

Another standout presentation focused on hacking electric vehicles (EVs) with the title “Death By A Thousand Cuts: Compromising Automotive Systems via Vulnerability Chains,” delivered by researcher Linfeng Xiao (@0xp0kerface) from Xiaomi ShadowBlade Security Lab.

In his presentation, he discussed methods to hack an EV without physical contact, starting from a scenario where he had no debugging access, to finally chaining multiple vulnerabilities together into exploit chains for stealing the vehicle through an attack.

One of my favorite talks is titled “Electric Vehicle Chargers: Observations from Pwn2Own Automotive 2024” by Jonathan Andersson, a security researcher from Trend Micro. He graciously showed me one of the in-vehicle infotainment (IVI) systems that was compromised by NCC-Group during the first-ever Pwn2Own Automotive competition. They managed to run the famous game “DOOM” on the targeted IVI system from Alpine.

Jonathan’s presentation delved into his experience during the Pwn2Own Automotive event. Contestants presented a total of 49 successful entries, which included 26 attack chains targeting electric vehicle chargers from various manufacturers such as Juicebox, Autel, ChargePoint, Emporia, Enel X-Way, Phoenix Contact, and Ubiquiti. EV chargers can operate in standalone deployments, but many require connections to the vendor’s cloud or other local management consoles. Some EV chargers are based around embedded microcontrollers that run custom firmware, while other models are observed running full operating systems such as Linux or Android. This makes hacking EV chargers no different from hacking IoT devices.

Since many of the bugs demonstrated during the competition have not yet been fixed, Jonathan can only discuss the vulnerabilities in those EV chargers at a high level. Nonetheless, we can still gain some insights from his talk. Enel Juicebox is one example from his talk. The Juicebox utilizes the Silicon Labs WGM160P22A SoM (ARM Cortex M4) as the application CPU. Additionally, it uses the Atmel Mega 328p for metrology, which is the same chipset used in Arduino for electronics hobbyists.

Juicebox was even kind enough to provide the JTAG for us to debug and dump the firmware. So chip-off operation may not required at all. In addition, the Juicebox SoM runs on EOL Gecko OS, and includes a telnet port, which lacks mitigation for memory protections.

All of these factors made the Juicebox one of the easiest targets. Perhaps for the same reason, six teams all targeted it during the competition, resulting in 3 full wins and 1 success, albeit with a collision with another team. The exploit is involved shell code injection by stack buffer overflow.

Final Thoughts

At Pwn2Own Automotive, it was demonstrated that car vendors have a vast number of problems to address, including issues with EV chargers. Aside from the informative sessions, Cansecwest offered plenty of opportunities for networking among fellow researchers. I participated in discussions about the latest trends and challenges in automotive security, exchanged ideas for future research projects, and even gave a lightning talk at the end. This made the conference experience truly unforgettable. I would definitely like to attend it in the future. In addition, for those who are interested in becoming bug bounty hunters for cars, my paper titled “Behind the Dashboard: Tales of a Car Bug Bounty Hunter” has been accepted for BSides Vancouver, taking place on May 27th 2024. See you all next year!