As we’ve learned over the past few years, almost anything that connects to the internet, uses Bluetooth or any other wireless protocols, or simply has a computer chip inside can be hacked—and that includes cars. There are just too many potential vulnerabilities across all these surfaces for hackers to exploit, and every time there’s a software update, there is a chance that new ones get introduced even as the old ones are patched out. (Seriously, keep your software up-to-date, though. It’s the best way to stay as secure as possible.)
With that in mind, researchers from French security firm Synacktiv have won $530,000 and a Tesla Model 3 at Pwn2Own Vancouver, a security competition where “white hat” hackers and security researchers can win the devices with previously unknown vulnerabilities (that they discover and exploit)—plus a cash prize.
The team from Synacktiv demonstrated two separate exploits. In the first, they were able to breach the Model 3’s Gateway system, the energy management interface that communicates between Tesla cars and Tesla Powerwalls, in less than two minutes. They used a Time of Check to Time of Use (TOCTOU) attack, a technique that exploits the small time gap between when a computer checks something like a security credential and when it actually uses it, to insert the necessary malicious code. For safety reasons, they weren’t hacking a real Model 3, but they would have been able to open the car’s doors and front hood, even while it was in motion.
The second exploit allowed the hackers to remotely gain root (or admin) access to the mock Tesla’s infotainment system and from there, to gain control of other subsystems in the car. They used what’s known as a heap overflow vulnerability and an out-of-bounds write error in the Bluetooth chipset to get in. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), told Dark Reading, “The biggest vulnerability demonstrated this year was definitely the Tesla exploit. They went from what’s essentially an external component, the Bluetooth chipset, to systems deep within the vehicle.”
According to TechCrunch, Tesla contends that all the hackers would have been able to do is annoy the driver, though the researchers themselves aren’t so sure. Eloi Benoist-Vanderbeken, one of the Synacktiv researchers, told TechCrunch, “[Tesla] said we wouldn’t be able to turn the steering wheel, accelerate or brake. But from our understanding of the car architecture we are not sure that this is correct, but we don’t have proof of it.” Apparently they are looking forward to fact-checking Tesla’s claim as soon as they get their hands on their new Model 3.
This is the second year in a row that Synacktiv has been able to hack a Tesla. Last year the French security team were also able to exploit the infotainment system, but weren’t able to gain enough access to the rest of the system to win the car.
It’s worth noting that Tesla was a willing participant and provided the car to Pwn2Own. It—along with all the other companies involved—uses the competition as an opportunity to find potentially devastating “zero day” or undiscovered vulnerabilities in their devices so they can fix them. Apparently, the company is already working on a patch for these latest bugs that will roll out automatically.
As well as Tesla, some of the big names at Pwn2Own were Oracle, Microsoft, Google, Zoom, and Adobe. An exploit using two bugs in Microsoft SharePoint was enough to win Star Labs $100,000, while two bugs in Microsoft Teams won Team Viettel $75,000. Synacktiv also picked up another $80,000 for a three-bug exploit against Oracle’s Virtual Box.
In total, contestants found 27 unique zero-day bugs and won a combined $1,035,000 (plus a car).