Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own hacking contest in Vancouver. The attacks gave them deep access into subsystems controlling the vehicle's safety and other components.
One of the exploits involved executing what is known as a time-of-check-to-time-of-use (TOCTTOU) attack on Tesla's Gateway energy management system. They showed how they could then — among other things — open the front trunk or door of a Tesla Model 3 while the car was in motion. The less than two-minute attack fetched the researchers a new Tesla Model 3 and a cash reward of $100,000.
The Tesla vulnerabilities were among a total of 22 zero-day vulnerabilities that researchers from 10 countries uncovered during the first two days of the three-day Pwn2Own contest this week.
Gaining Deep Access to Tesla Subsystems
In the second hack, Synacktiv researchers exploited a heap overflow vulnerability and an out-of-bounds write error in a Bluetooth chipset to break into Tesla's infotainment system and, from there, gain root access to other subsystems. The exploit garnered the researchers an even bigger $250,000 bounty and Pwn2Own's first ever Tier 2 award — a designation the contest organizer reserves for particularly impactful vulnerabilities and exploits.
"The biggest vulnerability demonstrated this year was definitely the Tesla exploit," says Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), which organizes the annual contest. "They went from what's essentially an external component, the Bluetooth chipset, to systems deep within the vehicle."
Because of the risk involved in hacking an actual Tesla vehicle, the researchers demonstrated their exploits on an isolated vehicle head unit. Tesla head units are the control unit of the car's infotainment system and provide access to navigation and other features.
A Slew of Zero-Day Bugs
Some of the other significant discoveries included a two-bug exploit chain in Microsoft SharePoint that fetched Singapore-based Star Labs $100,000 in rewards, a three-bug exploit chain against Oracle Virtual Box with a Host EoP that earned Synacktiv researchers $80,000, and a two-bug chain in Microsoft Teams for which researchers at Team Viette received $75,000.
The bug discoveries have fetched the researchers a total of $850,000 in winnings. ZDI expects that payouts for vulnerability disclosures will hit the $1 million mark by the end of the contest — or about the same threshold as last year. "We're heading towards another million-dollar event, which is similar to what we did last year and slightly larger than what we did at our consumer event last fall," Childs says.
Since launching in 2007 as a hacking contest largely focused on browser vulnerabilities, the Pwn2Own event has evolved to cover a much broader range of targets and technologies including automotive systems, mobile ecosystems, and virtualization software.
At this year's event, researchers, for example, had an opportunity to take a crack at finding vulnerabilities in virtualization technologies such VMware and Oracle Virtual Box, browsers such as Chrome, enterprise applications like Adobe Reader and Microsoft Office 365 Pro Plus, and server technologies such as Microsoft Windows RDP/RDS, Microsoft Exchange, Microsoft DNS, and Microsoft SharePoint.
A Wide Range of Hacking Targets
The available awards in each of these categories varied. Eligible exploits and vulnerabilities in Windows RDP/RDS and Exchange for example qualified for rewards of up to $200,000. Similarly, VMware ESXi bugs fetched $150,000, Zoom vulnerabilities qualified for $75,000, and Microsoft Windows 11 bugs earned $30,000.
Vulnerabilities in the automotive category — unsurprisingly — offered the highest rewards, with a total of $500,000 available for grabs to researchers who unearthed bugs in Tesla's systems, including its infotainment system, gateway, and autopilot subsystems. Researchers had an opportunity to try their hand against the Model 3 and Tesla S. Those who found ways to maintain root persistence on the car's infotainment system, autopilot system, or CAN bus system had the opportunity to earn an additional $100,000. The total offered payout of $600,000 is the largest amount for a single target in Pwn2Own history.
Ironically, the browser category, which is what Pwn2Own was all about in its early years, drew no researcher interest this year. "We're seeing about the same level of participation as in years past with the exception of the browser category," Childs says. "No one registered for that, and we can only speculate on why that is."
So far, in the 16 years that the event has been around, researchers have discovered a total of 530 critical vulnerabilities across a range of technologies and received some $11.2 million for their contribution.