2025-08-10 –, Andromeda
Language: English
During the first Pwn2Own Automotive, organised by ZDI in Tokyo in January 2024, Computest Sector 7 successfully demonstrated exploits for vulnerabilities in three different EV-chargers. All three could be exploited to execute arbitrary code on the charger, with the only prerequisite being close enough to connect to Bluetooth.
As electric vehicles become increasingly integrated into our transportation infrastructure, the security of their charging systems is becoming paramount. A threat actor hacking EV chargers at scale could have a real life impact on the continuity of our power grid and the transportation sector. Therefore, it is important that manufacturers and operators are well aware of their role in protecting our power grid.
During this talk we'll discuss the details on how we extracted the firmware, the vulnerabilities we found and the story of one drunk night of hacking till 07:00 AM in Tokyo that resulted in some much more high-impact vulnerabilities than were needed for the competition...
Daan Keuper is the head of security research at Computest Security. This division is responsible for advanced security research on commonly used systems and environments.
Daan participated five times in the internationally known Pwn2Own competition by demonstrating zero-day attacks against the iPhone, Zoom and multiple ICS applications. In addition Daan did research on internet connected cars, in which several vulnerabilities were found in cars from the Volkswagen Group.
Thijs Alkemade works at the security research division of Computest Security in The Netherlands. This division is responsible for advanced security research on commonly used systems and environments.
Thijs has participated in the the famous Pwn2Own competition four times, first by demonstrating a zero-day attack against Zoom at Pwn2Own Vancouver 2021, then by demonstrating multiple exploits in ICS systems at Pwn2Own Miami 2022, next by hacking 3 different EV-chargers at Pwn2Own Tokyo 2024 and finally by performing a "SOHO-smashup" at Pwn2Own Ireland 2024.
In previous research he demonstrated several attacks against the macOS and iOS operating systems. He has a background in both mathematics and computer science, which gives him a lot of experience with cryptography and programming language theory.