In the Pwn2Own hacking competition, security company Synacktiv managed to crack two different systems on Tesla cars. They had the hardware and software on the Tesla Model 3 to find security holes and were able to break into the secure system and take control of certain components of the car. The prize for these achievements was a Tesla Model 3 car and $350,000 USD.
Gateway and infotainment systems on Tesla compromised by hackers
Synacktiv first managed to break into the Tesla Gateway system, the one that connects the batteries to the Tesla Powerwall, the home battery system that allows the car to be charged. The Gateway software also appears to be able to control certain aspects of the car, and the hackers were thus able to unlock the car’s doors and front trunk using this vulnerability. Thus, if this was used by thieves, they could steal anything from the car. This hack was “worth” $100,000 in the competition.
CONFIRMED! @Synacktiv successfully executed a TOCTOU exploit against Tesla – Gateway. They earn $100,000 as well as 10 Master of Pwn points and this Tesla Model 3. #Pwn2Own #P2OVancouver pic.twitter.com/W61NasJPAl
– Zero Day Initiative (@thezdi) March 22, 2023
The second hack, however, is even more valuable, as it has been awarded a $250,000 USD prize for it, being classified as a “rank 2” vulnerability, the first such prize awarded under Pwn2Own. By hacking into the infotainment system of the Tesla Model 3, hackers had full control over all components of the car. Thus, a hack of this kind could endanger the safety of the driver and passengers.
Of course, Tesla willingly participated in this contest and has access to all the vulnerabilities discovered. The company is also the one that made some of the prizes available. So surely these vulnerabilities will surely be fixed with software updates.
CONFIRMED! @Synacktiv used a heap overflow & an OOB write to exploit the Infotainment system on the Tesla. When they gave us the details, we determined they actually qualified for a Tier 2 award! They win $250,000 and 25 Master of Pwn points. 1st ever Tier 2 award. Stellar work! pic.twitter.com/IPOnXG5S0u
– Zero Day Initiative (@thezdi) March 23, 2023
Since the contest is called Pwn2Own, the Syncacktiv winners also went home with a Tesla Model 3. This isn’t the first time Tesla cars have been demonstrated to be “hacked” for remote control of various components, including previous Pwn2Own editions demonstrating other such “hacks”.