The electric automaker is working to release a fix for the underlying vulnerability in a matter of days
Richard Zhu and Amat Cam, aka team ‘Fluoroacetate’, managed to break into the electric sedan via its infotainment system at the Pwn2Own hacking contest in Vancouver, Canada, last Friday. They exploited a JIT (or ‘just-in-time’) bug in the browser renderer process to display a message on the infotainment system.
In addition to walking away with the car, Zhu and Cam received US$35,000 for discovering the bug, reads a Zero Day Initiative report. It’s worth noting that the flaw didn’t enable the ethical hackers to take control of the vehicle itself.
We reported in January that Tesla had decided to put up one of its models as a target at the event that took place between March 20-22.
The duo had a pretty good few days at the event, having scooped $375,000 in prize money in total, including for finding flaws in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.
In its statement after Zhu and Cam’s find, the electric automaker said that a fix for the vulnerability (classified as CVE-2019-9977) was on its way.
“In the coming days we will release a software update that addresses this research,” reads a statement from Tesla on ZDNet last Friday. “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
Tesla launched its own bug bounty program in 2014 and has since given away hundreds of thousands of US dollars in rewards for reporting vulnerabilities in its vehicle systems. According to Teslarati, last year saw the company extend the program to its energy products.