Numerous auto vulnerabilities were exposed during the Pwn2Own hacking contest. Including a Tesla.
During the first two days of the annual hacking contest researchers from 10 countries found more than 22 zero-day bugs in different technologies. At the Pwn2Own hacking competition in Vancouver this week, researchers from French company Synacktiv demonstrated two separate attacks on the Tesla Model 3. The attacks allowed deeper access to subsystems that control the vehicle’s security and other components.
One of the attacks exploited a time-of-check-to-time-of-use (TOCTTOU) attack on Tesla’s gateway power management system, while the second exploited a heap overflow vulnerability and an out-of-bounds error -Utilized notation in a Bluetooth chipset to break into Tesla’s infotainment system and from there gain root access to other subsystems. The Tesla vulnerabilities were part of a total of 22 zero-day vulnerabilities uncovered by researchers from ten countries during the first two days of this week’s three-day Pwn2Own competition.
rewards for vulnerabilities varied, with vulnerabilities in the automotive category offering the highest rewards. Specifically, the researchers achieved a total of $500,000 in rewards with the vulnerabilities in Tesla’s systems, including its infotainment system, gateways, and autopilot subsystems. The highest sum for a single target in the history of Pwn2Own was offered with a total of $600,000.
In addition to Tesla, bugs from Vmware, Microsoft or Zoom disclosed. Over the 16 years of the competition, 530 critical bugs in code were uncovered, resulting in $11.2 million in prize money.