Team Fluoroacetate –made up of Amat Cama and Richard Zhu– hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car’s firmware and show a message on its entertainment system.
As per contest rules announced last fall, the duo now gets to keep the car. Besides keeping the car, they also received a $35,000 reward.
“In the coming days we will release a software update that addresses this research,” a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability. “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
Tesla car hackers also won competition
Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 “Master of Pwn” points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10.
The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition.
This is the second Pwn2Own hacking contest Team Fluoroacetate have won, after also ranking first and receiving the “Master of Pwn” trophy at the Pwn2Own Tokyo conference in November 2018.
What is Pwn2Own?
Pwn2Own, organized by Trend Micro’s Zero-Day Initiative team, is considered the top hacking contest for white-hat researchers in the information security (infosec) world.
Security researchers gather at Pwn2Own competitions and demonstrate exploits against a list of pre-defined targets (software). They earn points and money for each successful exploit. All vulnerabilities used in the hacking contest must be new, and they are immediately disclosed to the software vendors.
Over the past few years, many of the companies which had their apps hacked at Pwn2Own are now sponsoring the contest, and have engineers on-site to receive the vulnerability reports from the researchers themselves, sometimes delivering patches within hours.
This year, Mozilla patched Firefox a day after researchers demoed two exploits at Pwn2Own –see v66.0.1 changelog.
Besides Firefox and Tesla’s browser, at this year’s Pwn2Own researchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10
The video summary for Pwn2Own’s day three is at the top of this article, while summaries for the first two days are embedded below.