Last week, a team of security researchers successfully exploited a flaw in a Tesla Model 3 car on the final day of the Pwn2Own hacking competition in Vancouver, Canada.
TechCrunch reports that Richard Zhu and Amat Cama of team Fluoroacetate were able to hack a Tesla car via its browser.
The pair used a JIT bug to efficiently execute code on the car’s firmware and display a message on its infotainment system.
Tesla gifted the two winners with a car and $375,000 (£283,700) for uncovering the vulnerabilities of the Tesla Model 3.
Tesla told TechCrunch that it will release a software update to address the vulnerability discovered by the two hackers.
“We entered Model 3 into the world-renowned Pwn2Own competition in order to engage with the most talented members of the security research community, with the goal of soliciting this exact type of feedback. During the competition, researchers demonstrated a vulnerability against the in-car web browser,” Tesla said in an emailed statement to TechCrunch.
“There are several layers of security within our cars which worked as designed and successfully contained the demonstration to just the browser while protecting all other vehicle functionality. In the coming days, we will release a software update that addresses this research. We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
Pwn2Own’s spring vulnerability research competition, Pwn2Own Vancouver, was held on March 20-22 and featured a total of five categories, including web browsers, virtualisation software, enterprise applications, server-side software, and the new automotive category.
Zero Day Initiative
The event is run by TrendMicro’s Zero Day Initiative (ZDI) which chooses the software products that security expert will attempt to crack.
“Overall, the three days of Pwn2Own Vancouver 2019 have been a great success. We have awarded a total of $545,000 for 19 unique bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox, and – in its inaugural year – the Tesla infotainment system,” ZDI said in a statement.
Tesla has a strong relationship with the ‘white hat’ hacker community since 2014 when the company launched its first-ever ‘bug bounty’ programme. In 2018, it increased the maximum reward payment from $10,000 to $15,000 and added its energy products as well. All of the company’s, vehicles, directly hosted servers, and app are covered in the bounty programme.