Hackers Wins Tesla Model 3 for Exposing Vulnerabilities in Infotainment System

A pair of security researchers, Richard Zhu and Mat won a Tesla Model 3 at Pwn2Own, the annual high-profile hacking contest. Calling themselves “Team Fluoroacetate”, they earned USD 375,000 in prizes and this included the value of the Model 3 for a chink in the vehicle’s infotainment system.

Tesla had offered the contest the vehicle this year as part of its bid to offer the highest level of security to its customers. This was the first time that the hacking contest Pwn2Own had offered a car as one of the prizes. The contest is currently in its 12th year and is organized by Trend Micro’s Zero Day Initiative. Through the course of the program, over USD 4 million has been offered to the winners as prizes.

The winning pair managed to enter the Model 3 when their research on the Model 3 internet browser helped them to find a JIT bug that allowed them display a message on the browser after a few minutes of setup.

A JIT, or just-in-time bug, makes it possible to bypass memory randomization data that would normally enhance the level of protection available to the system. Tesla has said that it would shortly release a software update to fix the vulnerability that the hackers discovered.

Tesla said in a statement that it had entered the Model 3 into the contest to engage with the most talented members of the security research community. The goal of the initiative was to get exactly the kind of feedback it got, that there was a bug in the in-car web browser. The contest demonstrated that the vulnerability was limited to just the browser while all other vehicle functionality was protected. Tesla ensures that there are several layers of security within its vehicles.

The Pwn2Own contest disbursed a total amount of USD 545,000 for the identification of 19 unique bugs in software like Microsoft Windows and Edge, Apple Safari, VMware and Mozilla Firefox.

Tesla has been engaging with hackers from 2014 when the company launched its first bug bounty program. In 2018, Tesla had increased the maximum reward payable from USD 10,000 to USD 15,000 and added its energy products as well. Currently, the bounty program covers Tesla’s vehicles and all directly hosted servers, services and applications.