Hackers managed to crack the security of a Tesla Model 3 and made off with a shiny new car and $35k for their efforts.
To be clear, it was all sanctioned by Tesla and not a theft. The automotive manufacturer willingly subjected their vehicle to hackers as part of the Pwn2Own competition.
Pwn2Own provides incentives to put the skills of hackers to good use in ensuring vulnerabilities are patched before they cause harm. Hacks of connected vehicles have the potential to cost lives.
The 2019 edition of Pwn2Own’s competition was organised by Trend Micro's Zero Day Initiative (ZDI) which has the goal of encouraging the reporting of zero-day vulnerabilities responsibly to affected vendors.
Amat Cama and Richard Zhu of team Fluoroacetate exposed Tesla’s vulnerability which took advantage of a JIT bug in the renderer of the vehicle’s infotainment system.
In an emailed statement, Tesla wrote:
“We entered Model 3 into the world-renowned Pwn2Own competition in order to engage with the most talented members of the security research community, with the goal of soliciting this exact type of feedback. During the competition, researchers demonstrated a vulnerability against the in-car web browser.
There are several layers of security within our cars which worked as designed and successfully contained the demonstration to just the browser, while protecting all other vehicle functionality. In the coming days, we will release a software update that addresses this research.
We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
Tesla has given away hundreds of thousands of dollars to hackers who’ve exposed vulnerabilities in its systems responsibly. While a lot, it’s still likely cheaper than dealing with injury/fatality lawsuits and replacing damaged equipment caused by hackers.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.