Key Takeaways:
- The Pwn2Own Automotive competition uncovered 76 unique zero-day vulnerabilities in automotive software systems, including Tesla infotainment and EV chargers.
- French privacy regulators fined an unnamed company €3.5M for sharing customer loyalty data with a social network without explicit consent.
- A vulnerability in Google’s Gemini AI could expose a user’s daily schedule through a malicious calendar invitation.
- Bug bounty platform Hackerone published a new safe harbor document for AI security testing, setting a new standard for good faith AI security research.
- A cybersecurity researcher discovered over 149 million unique login/password combinations exposed online, highlighting the importance of password security.
Introduction to Pwn2Own Automotive Competition
The Pwn2Own Automotive competition, held annually at Automotive World in Tokyo, is a platform for ethical hackers and security experts to test the vulnerability of automotive software systems. This year’s competition saw a record 73 entries, with participants attempting to exploit various targets, including Tesla infotainment and EV chargers. The competition is structured to reward successful exploits with cash prizes and points, with the amount increasing based on the uniqueness, impact, and complexity of the exploit. The event is organized by Trend Micro’s Zero Day Initiative, which paid out over $1 million to successful competitors.
Pwn2Own Competition Highlights
The largest single-exploit payout of the three-day event went to a team of security researchers from Fuzzware.io, who exploited a single out-of-bounds write vulnerability in the Alpitronic HYC50 EV charger. The team took home $60,000 and earned six points for their successful exploit. Fuzzware hackers ended up earning the Master of Pwn title with a total of 28 points and total winnings of $215,500 over seven successful demonstrations. Another team also managed to exploit a Time-of-Check to Time-of-Use vulnerability in the HYC50 charger, leveraging it to install a playable version of Doom on the charger’s screen. The Tesla infotainment system was also fully taken over by the Synacktiv team by chaining an information leak with an out-of-bounds write vulnerability.
French Privacy Regulators Fine Company for Data Violations
French privacy regulators have fined an unnamed company €3.5M for sharing customer loyalty data with a social network without explicit and informed consent. The National Commission on Informatics and Liberty reported the fine, which was imposed on December 30, for actions taking place since February 2018. The company had been transmitting email addresses and telephone numbers of customers to the social network for targeted advertising purposes, affecting over 10.5 million Europeans from 16 countries. The actions of the unnamed firm amounted to multiple violations of both the EU General Data Protection Regulation and the French Data Protection Act.
Vulnerability in Google’s Gemini AI
A vulnerability in Google’s Gemini AI could expose a user’s daily schedule through a malicious calendar invitation. The vulnerability, discovered by runtime security outfit Miggo, allows an attacker to inject a prompt-injection payload hidden in the event description, causing Gemini to write a summary of private meetings into a newly created calendar event that may be visible to the attacker. While Google has already patched the exploit, Miggo noted that it highlights the need to think of AI as an entire new application layer that merits new security considerations.
Hackerone’s Safe Harbor Document for AI Security Testing
Bug bounty platform Hackerone has published a new safe harbor document for AI security testing, setting a new standard for good faith AI security research. The document provides clear, standardized authorization for AI research, removing uncertainty on both sides. Organizations that adopt the agreement commit to treating good-faith AI research as authorized and to refraining from legal action against security researchers who test their AI systems, provided researchers follow conditions similar to traditional security programs.
Exposure of Login/Password Combinations
A cybersecurity researcher discovered over 149 million unique login/password combinations exposed online, highlighting the importance of password security. The dataset, which included accounts from multiple social media platforms, dating apps, streaming services, financial services, banking and credit-card logins, and even government credentials from multiple countries, was compiled using infostealer and keylogging malware. The researcher noted that the database appeared to have been left exposed online for nearly a month, potentially allowing others to access the credentials. This incident serves as a timely reminder to reset passwords regularly and prioritize password security.
