A Tesla Model 3 was hacked in less than two minutes at the Pwn2Own annual hacking contest.
A team of researchers from France’s Synacktiv demonstrated two separate exploits against the Model 3 at the competition held in Vancouver last week.
The attacks gave the hackers deep access into subsystems that control the vehicle’s safety and other components. More specifically, one of the exploits involved executing a so-called TOCTTOU (time-of-check-to-time-of-use) attack on Tesla’s Gateway energy management system.
That allowed them to perform actions such as opening the frunk or door of the Tesla Model 3 while the car was in motion, among other things. The researchers claimed they could have been able to have “taken over” the whole car. The team was rewarded with a new Tesla Model 3 and $100,000 in cash for this particular exploit.
For their second hack, Synacktiv researchers broke into Tesla’s infotainment system by exploiting a heap overflow vulnerability and an out-of-bounds write error in a Bluetooth chipset. In doing so, they were able to gain root access to other subsystems.
This exploit won the researchers an even bigger $250,000 prize and Pwn2Own’s first ever Tier 2 award reserved for particularly impactful vulnerabilities and exploits, Dark Reading reports.
“The biggest vulnerability demonstrated this year was definitely the Tesla exploit. They went from what’s essentially an external component, the Bluetooth chipset, to systems deep within the vehicle,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), which organizes the annual contest.
Because of the risk involved in hacking an actual Tesla vehicle, the researchers demonstrated their exploits on an isolated vehicle head unit. The head unit controls the car’s infotainment system and provides access to navigation and other features.
The Tesla vulnerabilities were among a total of 22 zero-day vulnerabilities uncovered by researchers from 10 countries during the first two days of the three-day Pwn2Own contest.
Tesla has been investing heavily in cybersecurity in recent years, working closely with white-hat hackers. The company has been offering large prizes and its electric cars for hacking challenges such as those organized by the Pwn2Own contest.
