A Tesla Model 3 Car was hacked by a team of security researchers at the Pwn2Own 2019 hacking contest which was conducted this week in Vancouver, Canada.
The researchers Amat Cama and Richard Zhu, from the team Fluoroacetate hacked the Tesla car using its browser. A JIT bug was used in the browser renderer process to execute code on the car’s firmware and show a message on its entertainment system.
The contest was announced last fall and according to the rules, the winners gets to keep the car. They also receive a cash reward of $35,000.
According to a Tesla spokesperson, they would soon release an update to address this Pwn2Own vulnerability. He also thanked the researchers for their effort and skills and their continuous support to ensure the safety of the cars.
The car hackers’ team Fluoroacetate also won the three-day contest after earning 36 “Master of Pwn” points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10.
The researchers were also rewarded with a prize money of $375,000 in prize money, making it a total of $545,000 during the whole three-day competition.
This is the second time the same team has won the Pwn2Own hacking contest. They are ranked first and received the “Master of Pwn” trophy at the Pwn2Own Tokyo conference in November 2018.
Pwn2Own which is organized by Trend Micro’s Zero-Day Initiative team, is considered to be the top hacking contest for white-hat researchers in the information security (infosec) world.
Several security researchers attend the Pwn2Own competitions and demonstrate exploits against a list of pre-defined targets. The hackers get points and money for each successful exploit. Only new vulnerabilities must be used in the hacking contest which is then immediately revealed to the software vendors.
There are numerous companies who had their apps hacked at Pwn2Own and are now sponsoring the contest. They also have engineers on-site to receive the vulnerability reports from the researchers and at times the patches are provided within hours.
This year, Mozilla patched Firefox a day after researchers demoed two exploits at Pwn2Own. Besides Firefox and Tesla’s browser, several researchers exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.
The video summary for Pwn2Own’s day one, two and three are embedded below.