A group of security researchers have, once again, proven that Tesla vehicles’ high-tech software and systems are easily exploited. At Zero Day Initiative’s Pwn2Own 2023 hacking competition this week, cybersecurity firm Synacktiv successfully cracked both Tesla’s infotainment and Gateway networks in a Model 3 car, as first reported in a Zero Day blogpost.
As the “Pwn2Own” name of the contest suggests, the researchers subsequently won the vehicle — along with a combined cash prize of $US350,000 for the two achievements.
On Wednesday, Snyactiv’s white hat hackers breached the Model 3’s Gateway system. Tesla’s Gateway is an energy management interface that communicates between Tesla vehicles and Tesla Powerwalls — the company’s home grid system. Though the security researchers weren’t working on an actual vehicle, the breach would’ve theoretically allowed them to open the car’s doors and front hood, per an Axios report.
CONFIRMED! @Synacktiv successfully executed a TOCTOU exploit against Tesla – Gateway. They earn $100,000 as well as 10 Master of Pwn points and this Tesla Model 3. #Pwn2Own #P2OVancouver pic.twitter.com/W61NasJPAl
— Zero Day Initiative (@thezdi) March 22, 2023
The following day, Synactiv was also able to “exploit the infotainment system” on a Tesla and gain extensive enough access to potentially “take over the car,” according to a tweet from the cybersecurity firm. Zero Day, too, seemed to back up this assessment in its own post announcing an increased prize for the accomplishment.
CONFIRMED! @Synacktiv used a heap overflow & an OOB write to exploit the Infotainment system on the Tesla. When they gave us the details, we determined they actually qualified for a Tier 2 award! They win $250,000 and 25 Master of Pwn points. 1st ever Tier 2 award. Stellar work! pic.twitter.com/IPOnXG5S0u
— Zero Day Initiative (@thezdi) March 23, 2023
Combined and applied maliciously, the hacks would’ve easily rendered a Tesla car unsafe to drive. Thankfully, they were confined to the corporate sponsored competition. To the company’s credit, Tesla put its tech up for the test, and will almost certainly patch the security flaws uncovered at Pwn2Own.
That said, this is far from the first time that security researchers and hackers have broken into a Tesla. Last year, a white hat uncovered a vulnerability that could lead to one of the EVs being stolen. Also in 2022, a teenager claimed to have breached an entire global fleet of 25 different Teslas — and be able to run remote commands on those vehicles. Additional past hacks have demonstrated security vulnerabilities in the cars’ key fobs and data security systems.