Tesla Model 3 on road

Security researchers hack and take home Tesla Model 3

Image credit: Dreamstime

A team of security researchers who entered the Pwn2Own 2019 hacking competition in Vancouver, Canada, have won a Tesla Model 3 after finding and exploiting a security vulnerability.

Pwn2Own is an annual hacking contest held at the CanSecWest security conference; it is considered one of the most prestigious contests for white hat ‘ethical’ hackers. Contestants aim to identify and exploit new vulnerabilities in popular software and devices, which are immediately disclosed to the companies for quick patching.

Winners of Pwn2Own receive the device they hacked, in addition to a generous cash prize.

In January, electric vehicle company Tesla offered up a $35,000 (£26,500) Tesla Model 3 as a prize for contestants capable of hacking the car in a new “Automotive” category at the event. No target so expensive has ever before been offered up to Pwn2Own competitors.

“Tesla essentially pioneered the concept of the connected car with their Model 3 sedan, and in partnership with Tesla, we hope to encourage even more security research into connected vehicles as the category continues to expand,” event organiser Zero Day Initiative wrote on its blog.

The first two days of the Pwn2Own 2019 contest saw the hacking duo Fluoroacetate – made up of Amat Cama and Richard Zhu – hack Apple’s Safari browser, Oracle’s VirtualBox, and VM Workstation, Mozilla’s Firefox browser, and Microsoft’s Edge browser, collecting hundreds of thousands of dollars in prize money.

On the final day of the contest, Fluoroacetate hacked the Tesla vehicle through its browser. The pair used a JIT bug (which exploits a method of executing code by compiling during rather than before execution) in the Tesla browser renderer process in order to execute code on the car’s permanent software and display a message on its entertainment system.

As well as keeping the luxury car, they received a further cash prize. The team was crowned overall winner of the contest for the second time for their successful exploits over the three-day event. The team took home $375,000 (£283,000) out of the total prize pot of $545,000 (£412,000).

A Tesla spokesperson told ZDNet that the company would be releasing a software update in the coming days to address the research, adding: “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”

Tesla has been running a bug bounty programme since 2014, and has reportedly awarded hundreds of thousands of dollars to hackers who have found vulnerabilities in its software.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles