Pwn2Own, a high-profile hacking contest, saw two men taking away the big prize for pointing out a flaw in a Tesla Model 3's infotainment system. And the prize? Well, only a Tesla Model 3 along with additional cash. This was the first time this competition saw a car entering as a challenge. This was the 12th edition of the Pwn2Own competition that is run by Trend Micro Zero Day Initiative which has over the years awarded more than $4 million in prizes.
ZDI says that the duo that took home a Tesla Model 3 - Richard Zhu and Amat Cam called team Fluoroceatate - "thrilled the assembled crowd" as they entered the vehicle and successfully demonstrated their research on Model 3's internet browser.
The two used a JIT (Just-in-Time) bug to display their message on the screen. A JIT bug bypasses memory randomisation data that keep data protected. Tesla told TechCrunch that it would release a software update to fix the flaw discovered by Zhu and Cam.
— Zero Day Initiative (@thezdi) March 22, 2019
"We entered Model 3 into the world-renowned Pwn2Own competition in order to engage with the most talented members of the security research community, with the goal of soliciting this exact type of feedback. During the competition, researchers demonstrated a vulnerability against the in-car web browser,” Tesla said in an emailed statement.
“There are several layers of security within our cars which worked as designed and successfully contained the demonstration to just the browser while protecting all other vehicle functionality. In the coming days, we will release a software update that addresses this research. We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”