March 25, 2019 at
In the 12 years that Pwn2Own has been running, there has never been an automotive category until this year. Tesla donated their new Model 3 sedan to the competition as not only a challenge but as a prize as well.
Richard Zhu and Amat Cam, the superstar duo of the second day who call themselves Fluoroacetate, were the winners of the car. The duo had won $375 thousand going into the third day and was expected to be the overall winners.
The first entrant, a team called Team KunnaPwn decided to withdraw their automotive entry. They were followed by the now wildly popular Fluoroacetate, who garnered particular praise form Zero Daily Initiative and onlookers alike with their elegant Edge, Windows and VMWare busting bug on the second day of the competition.
ZDI reports that they “thrilled the crowd” upon entering the target vehicle. After a few minutes of setting up, they were able to successfully demonstrate the research; they had done with regards to the Model 3’s web browser. In full view of the many cameras and the onlooking crowd, they used a JIT bug in the renderer to display a message and earned 35 thousand dollars for their efforts – in addition to the car they had just hacked.
Tesla’s response to the bug
In layman’s terms, a JIT (or Just-In-Time) bug is one that allows the attacker to bypass memory randomization data that is used to keep secrets protected. Tesla was on hand and told TechCrunch that they would release a software patch to fix the vulnerability found by Fluoroacetate immediately.
In an email statement put out by the company, they confirmed that they were happy to be a part of Pwn2Own and that the bug that found is the reason they were willing to donate the car in the first place. They added that they were happy that the multiple layers of security prevented any further breaches and that it was confined to the browser, with all other car functions being protected.
The company went on to say that their participation in a “world-renowned Pwn2Own competition” can only help them get better, and praised the “most talent members of the security research community” for giving them exactly the type of feedback that it was their goal to receive by being such an active participant of the competition.
They thanked the researchers, acknowledging the “extraordinary amount of effort and skill” it had taken them to find the bug and thanking them further for helping Tesla to make sure that their cars would continue to be among the most secure on the road in 2019.
Fluoroacetate the big winners, keeping up their record
— Zero Day Initiative (@thezdi) March 22, 2019
This overall win by Fluoroacetate’s Amat Cam and Richard Zhu is not a surprise, according to ZDI. The two blew through the first two days and impressed everyone at the competition with their Microsoft Edge bug that allowed them to escape a VM instance. Their good work in Vancouver is carrying on the dominance they showed in Tokyo’s Pwn2Own that was held in November. ZDI added that they were impatient to see what the two had in store for other competitions and future Pwn2Own showings.
Overall, Pwn2Own 2019 Vancouver finished with 19 bugs found across a variety of software. VMWare WorkStation, Microsoft Edge and Windows, Mozilla Firefox, Apple’s Safari browser and Tesla’s model 3 were all exposed. However, the results all go to the companies involved to make their products better, so it benefits the tech companies as well as the researchers ZDI confirms.