Tesla Model 3’s onboard browser attacked successfully at Pwn2Own
A prolific duo of white-hat hackers exploited a previously unknown flaw in the web browser for the Tesla Model 3’s infotainment system on the third and final day of the Pwn2Own competition, demonstrating the first automotive zero-day in the event’s history.
Team “Flouroacetate” — aka Amat Cama and Richard Zhu — used the Tesla hack on Friday to cap off a dominant run in the competition, which takes place annually during the CanSecWest security conference in Vancouver, British Columbia. Cama and Zhu successfully demonstrated zero-day exploits on popular web browsers and widely used virtualization software during the first two days.
The Zero Day Initiative (ZDI), the organization that runs Pwn2Own, didn’t release many details about the Tesla hack. Given the sensitivity of any flaws in automotive software, it’s hardly surprising. But the value of Cama and Zhu’s research to Tesla is clear: Not only did the duo win cash for their demonstration, the automaker let them keep the Model 3 itself.
“After a few minutes of setup, and with many cameras rolling, they successfully demonstrated their research on the Model 3 internet browser,” according to a blog post from ZDI. “They used a JIT bug in the renderer to display their message,” earning $35,000 for the day and a grand total of $375,000 for the entire contest.
Telsa said it is already working on fixing the bug, and that it welcomed the chance to expose the Model 3 to “the most talented members of the security research community, with the goal of soliciting this exact type of feedback.” Teams typically prepare for weeks or months to demonstrate zero-day exploits at Pwn2Own.
“There are several layers of security within our cars which worked as designed and successfully contained the demonstration to just the browser, while protecting all other vehicle functionality. In the coming days we will release a software update that addresses this research,” a Tesla spokesperson said. “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
Telsa said welcomes independent security research on its vehicles, and in September it announced that hacking any of its cars as part of a “good faith” effort would not void the warranty.
The other team that was scheduled to demonstrate its Model 3 research, “Team KunnaPwn,” withdrew its entry, ZDI said.
Flouroacetate also claimed the overall title of “Master of Pwn” by piling up more contest points than any other competitors.
ZDI is supported by cybersecurity company Trend Micro. The organization pushes for responsible disclosure of software vulnerabilities and runs a bug bounty program in addition to events like Pwn2Own.