Hacker News: Hackers get $886,250 for 49 zero-days at Pwn2Own Automotive 2025

Jan 27, 2025

—

Source URL: https://www.bleepingcomputer.com/news/security/hackers-get-886-250-for-49-zero-days-at-pwn2own-automotive-2025/
Source: Hacker News
Title: Hackers get $886,250 for 49 zero-days at Pwn2Own Automotive 2025

Feedly Summary: Comments

AI Summary and Description: Yes

Summary: The Pwn2Own Automotive 2025 contest showcased significant advancements in automotive security, where researchers exploited numerous zero-day vulnerabilities in automotive software and electric vehicle systems, highlighting critical security gaps in these technologies. The competition amassed substantial financial rewards for successful exploit demonstrations, emphasizing the ongoing need for enhanced security measures in the automotive sector.

Detailed Description:
The Pwn2Own Automotive 2025 hacking contest, aimed at enhancing automotive cybersecurity awareness, concluded with an impressive total of $886,250 awarded to participants for exploiting 49 zero-days. Some of the major takeaways from this event include:

– **Targeted Systems**: The competition focused on automotive software and products, including:
– Electric vehicle (EV) chargers
– Car operating systems (e.g., Android Automotive OS, Automotive Grade Linux, BlackBerry QNX)
– In-vehicle infotainment (IVI) systems

– **Security Protocols**: All devices involved in the contest were running the latest operating system versions and had all security updates applied, emphasizing that manufacturers need to enhance their defense mechanisms even with updated systems.

– **Financial Rewards**: Exploiting these vulnerabilities lead to substantial financial incentives for researchers:
– **Day 1**: 16 zero-days led to $382,750 in awards.
– **Day 2**: 23 additional zero-days were exploited, earning $335,500.
– **Day 3**: 10 more zero-days brought in $168,000 in rewards.

– **Vendor Responsibilities**: Following the demonstrations at the contest, vendors are given a 90-day window to issue security patches for reported vulnerabilities before TrendMicro’s Zero Day Initiative publicly discloses them, accentuating the timeliness required in responding to security threats.

– **Winners and Rankings**:
– The event’s champion, Summoning Team’s Sina Kheirkhah, secured $222,250 by exploiting EV chargers and IVI systems, accumulating the most Master of Pwn points.
– Other notable participants included teams such as Synacktiv, PHP Hooligans, fuzzware.io, and Viettel Cyber Security, each earning substantial sums for their exploits.

– **Historical Context**: Comparisons were drawn to previous editions of the contest, noting the continuous rise in the financial rewards, with earlier versions seeing total rewards of $1,323,750 and $1,132,500 for 49 and 29 zero-day bugs, respectively. This trend highlights an escalating recognition of the importance of automotive security in the modern technological landscape.

Overall, the Pwn2Own Automotive 2025 contest serves as a critical reminder for security professionals in automotive and related fields to prioritize cybersecurity measures, invest in continuous monitoring, and engage in proactive vulnerability management strategies. The contest not only illustrates the vulnerability of automotive systems to exploits but also stresses the need for swift remediation and better security practices to protect consumers and enterprises alike.

1 2 3 4 5 7 a Act advancement advancements AI and Android anti Arch art as Auto automotive automotive cybersecurity automotive sector automotive security automotive systems awareness Blackberry Bug bugs by C CIA Col Competition compute computer Context continuous monitoring critical cyber cyber security Cybersecurity cybersecurity awareness cybersecurity measures D day day vulnerabilities days de defense defense mechanisms demo e end enhanced security enhanced security measures enterprise enterprises ERP event exp exploit exploits fact financial financial incentives financial rewards focused for g Go grade gs hack hacker Hacker News hackers hacking high Highlight HR http HTTPS in incentives inux ite J k l land led Lee Linux logic low management management strategies mass media Micro Modern Monitor monitoring news no o of on operating system operating systems over Patch patches point pre proactive proactive vulnerability management product products professionals protocol protocols public Pwn2Own R Rank ranking rate RCE red remediation report research researchers Ro ROI s search sec secure security security awareness security gaps security measure security measures security patch security patches security practices security professionals security protocols security threat security threats security update security updates Sig software source SSE Swift system systems T Teams tech technologies test text the threat threats Time to Tor TP UI up update updates US use V vendor vendors version vulnerabilities vulnerability Vulnerability Management Wi Wind x zero zero-day Zero-Day Vulnerabilities zero-days