Pwn2Own is a twice-a-year hacking conference that includes various contests for hackers to hack things and win the thing that got hacked, which, at this month’s Pwn2Own conference in Vancouver, included a Tesla Model 3, which a French company was able to exploit in less than two minutes.
Of course, a lot more work went into the hack than a couple minutes, though when it is time to shine at the competition the hackers have only 10 minutes per attempt. They completed two different Tesla hacks, with the first one earning them $US100,000 and a Model 3, and a second, more sophisticated one earning them $US250,000. That latter one they completed with 8:45 left on the clock.
You can watch terribly unexciting if also very wholesome video of this great feat here:
The hackers did not in fact hack into a Model 3 in the interests of safety, but instead merely the head unit that operates navigation and infotainment, because who knows what a hacked Model 3 is really capable of. As in, Synacktiv says that, combined with its other Model 3 win, they could’ve taken over the car.
After having finished their exploit in an hotel room, @_p0ly_ and @vdehors successfully compromised the Tesla Model 3 infotainment through bluetooth and elevated their privileges to root!
Combined with the previous entry, this could have been a full chain to take over the car! https://t.co/AEZERvO6Ko pic.twitter.com/6R1b72h0iz— Synacktiv (@Synacktiv) March 23, 2023
I applaud these experienced and very pleased men. Synacktiv, a name which is making me hungry, also won top spot at the event.
That’s a wrap for #P2OVancouver! Contestants disclosed 27 unique 0-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, @Synacktiv, for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3. #Pwn2Own pic.twitter.com/xtd0cdjGC3
— Zero Day Initiative (@thezdi) March 24, 2023
Pwn2Own began in 2007 for the purposes of ethical hacking but has had a somewhat lower profile in recent years. It added cars in 2019, and a Tesla Model 3 was hacked that first year, via ZDNet:
Team Fluoroacetate — made up of Amat Cama and Richard Zhu — hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car’s firmware and show a message on its entertainment system.
As per contest rules announced last fall, the duo now gets to keep the car. Besides keeping the car, they also received a $US35,000 reward.
“In the coming days we will release a software update that addresses this research,” a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability. “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
An email sent to Tesla for comment on this year’s hack went unreturned, though I’ll update this post if I hear back.