Tesla has been investing more in its cybersecurity over the last few years, and now it is returning to Pwn2Own to challenge hackers to crack its cars with ~$1 million on the line and a few Model 3 vehicles.
Last year, Tesla went to Vancouver for Pwn2Own, which is a hacking competition run by Trend Micro’s Zero Day Initiative (ZDI).
It offered a Model 3 to whoever manages to find and exploit certain vulnerabilities in the vehicle’s system.
A hacking duo targeted the infotainment system on the Tesla Model 3 and used “a JIT bug in the renderer” to manage to take control of the system.
They left with a brand new Model 3.
These types of hacking competitions with white-hat hackers enable Tesla to test and improve its security systems, which are becoming increasingly important in cars as they are becoming more like computers on wheels.
It’s why Tesla decided to return to Pwn2Own this year and make an even bigger event out of it.
In a press release today, Zero Day Initiative reflected on last year’s event and commented on what they are doing this year:
Last year, we raised more than a few eyebrows by partnering with Tesla to include a Model 3, the best-selling car in its class in the US, as a target, and we ended up awarding the car to two talented researchers. We wanted to include Tesla because they pioneered the concept of a connected car and over-the-air updates nearly a decade ago, and they have been leading the space ever since.
This year, Tesla returns to the contest. Driving off with a brand-new Model 3 will be a harder challenge this year, which means the potential rewards will be much higher as well. Microsoft also returns as partner and VMware returns as a sponsor with their somewhat more traditional Pwn2Own targets. All told, more than $1,000,000 USD in cash and prizes are available to contestants, including the new Tesla car.
This year, they are making ithe Tesla challenge a lot more complex:
[…] we wanted to up the level of complexity for this year’s event. Tesla vehicles are equipped with multiple layers of security, and this time around, there are three different tiers of awards within the Automotive category that correspond to some of the different layers of security within a Tesla car, with additional prize options available in certain instances.
Between the first tier and the “add-on” targets, someone or a group of hackers could potentially walk away with $700,000 and a brand new Tesla Model 3:
The Tesla hacking challenge also includes two other tiers with smaller but also substantial cash prizes, and several targets also include driving off with a Model 3:
The competition is going to be held in March in Vancouver, and people interested can find the full rules for the contest here.
Over the past five years, Tesla has been running a bug bounty program, and according to sources familiar with the effort, the company has given away hundreds of thousands in rewards to hackers who exposed vulnerabilities in its systems.
The automaker increased its max payout per reported bug to $15,000 in 2018, and it also took a great step in reassuring owners who are hacking their own vehicles.
Tesla said that it will not void its warranty when a vehicle is hacked for “pre-approved good faith security research.”
David Lau, vice president of vehicle software at Tesla, commented on their effort:
We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us. Since launching our bug bounty program in 2014 — the first to include a connected consumer vehicle — we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community. We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems.
Tesla has also been fairly quick to fix vulnerabilities exposed by white-hat hackers.
In 2016, we reported on a Chinese white-hat hacker group, the Keen Security Lab at Tencent, managing to remotely hack the Tesla Model S through a malicious Wi-Fi hotspot. It is believed to be the first remote hack of a Tesla vehicle.
The hackers reported the vulnerability to Tesla before going public and the automaker pushed an update fairly quickly.
FTC: We use income earning auto affiliate links. More.
Subscribe to Electrek on YouTube for exclusive videos and subscribe to the podcast.