Two security researchers took home prizes to the tune of $375,000 including a Tesla Model 3 in a Pwn2Own event, the annual high-profile hacking contest. The Tesla car reward was for successfully exposing a vulnerability in the electric vehicle’s infotainment system.
Tesla is the first automaker to participate in a Pwn2Own hacking event, which is run by Trend Micro’s Zero Day Initiative (ZDI). The automaker made a Model 3 available to hackers in order for them to find and exploit vulnerabilities in the vehicle’s system.
Pwn2Own’s spring vulnerability research competition, Pwn2Own Vancouver, was held March 20 to 22 and featured five categories, including web browsers, virtualization software, enterprise applications, server-side software, and the new automotive category.
Amat Cama and Richard Zhu of team Fluoroacetate “thrilled the assembled crowd” as they entered the vehicle, according to ZDI, which noted that after a few minutes of setup, they successfully demonstrated their research on the Model 3 internet browser. They targeted the infotainment system on the Tesla Model 3 and used “a JIT bug in the renderer” to manage to take control of the system.
That’s a wrap! Congrats to @fluoroacetate on winning Master of Pwn. There total was $375,000 (plus a vehicle) for the week. Superb work from this great duo. pic.twitter.com/Q7Fd7vuEoJ
— Zero Day Initiative (@thezdi) March 22, 2019
For exposing the vulnerabilities and giving the automaker the opportunity to improve its software security, Tesla is giving them the Model 3.
Over the past 4 years, Tesla has been running a bug bounty program and according to sources familiar with the effort, the company has given away hundreds of thousands in rewards to hackers who exposed vulnerabilities in its systems.
The automaker increased its max payout per reported bug to $15,000 last year and it also took a great step in reassuring owners who are hacking their own vehicles.
Tesla said that it will not void its warranty when a vehicle is hacked for “pre-approved good faith security research.
David Lau, Vice President of Vehicle Software at Tesla, commented on their effort:
“We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us. Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle– we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community. We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems.”
Tesla has also been fairly quick to fix vulnerabilities exposed by white hat hackers.
Back in 2016, a Chinese whitehat hacker group, the Keen Security Lab at Tencent, managing to remotely hack the Tesla Model S through a malicious wifi hotspot. It is believed to be the first remote hack of a Tesla vehicle.
The hackers reported the vulnerability to Tesla before going public and the automaker pushed an update fairly quickly.
Pwn2Own awarded a total of $545,000 for 19 unique bugs in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox, and Tesla.