Security researchers at Pwn2Own Automotive 2024 hacked a Tesla Modem and earned $722,500 for three bug collisions and 24 unique zero-day exploits, with Synacktiv Team leading with $100,000 for chaining three zero-day bugs. The competition also saw successful hacks on EV charging stations and infotainment systems, with vendors given 90 days to release security fixes after zero-day bugs are reported. The contest, focusing on automotive technologies, targets Tesla in-vehicle infotainment systems, EV chargers, and car operating systems, offering a top prize of $200,000 and a Tesla car for VCSEC, gateway, or autopilot zero-days.
iPhones running iOS 17 are vulnerable to a Bluetooth attack using a Flipper Zero device, which can crash the phone by overwhelming it with pop-up windows. The attack is performed by sending a combination of Bluetooth low energy alerts to nearby iPhones. This exploit does not affect iPhones running older iOS versions. Similar attacks can also be used on Android devices and Windows laptops. The only reliable way to protect against this attack on iOS 17 is by disabling Bluetooth. Apple has not yet released an update to fix this issue.
Google's Threat Analysis Group (TAG) has reported that state-sponsored hackers from North Korea are targeting security researchers using at least one zero-day exploit in an undisclosed popular software. The attackers use social media platforms like Twitter and Mastodon to establish contact with the researchers and then send them malicious files designed to exploit the zero-day. The payload collects information from the researchers' systems and sends it to the attackers' command and control servers. This campaign is similar to previous attacks in January 2021, indicating the involvement of the Lazarus Group. The primary objective of these attacks appears to be the acquisition of undisclosed security vulnerabilities and exploits.
