A cybersecurity team, “Synacktiv”, just won a historic prize at the “Pwn2Own” event, managing to win a Tesla Model 3 and a quarter of a million dollars in cash after successfully ethical-hacking the EV.
For decades experts have talked about car safety, as referred to the vehicle itself; but nowadays they are also widely talking about cybersecurity. Vehicles, increasingly connected and reliant on computers and software, bring new potential dangers, as a matter of fact. Tesla is so convinced of the high reliability and cybersecurity of its cars that it regularly challenges hackers around the world to try to find vulnerabilities within the system. The last - very talented - one to do so has in fact taken home a Tesla Model 3 and $250,000 in cash.
Software security is a critical thing in today's and tomorrow's vehicles. In the most extreme cases a hacker could not only gain access to the car, but access the personal data linked to the owner's profile and even take control of the vehicle itself, even while driving. Some people are already a bit paranoid about all this, as is the case of famous rapper Rick Ross, who even refuses to use “on line”or connected vehicles at that level.
It is true that getting to break a car with the high-tech level of a Tesla is, to say the least, very complicated. But not impossible, as they have demonstrated in the “Pwn2Own event”, essentially dedicated to finding software vulnerabilities, albeit with a very goodwill and honest approach (improving the general level of security in the car´s system). However, given the nature of the event, full details of how the system hack was carried out have not been released to avoid any potential security risk to Tesla owners.
The group of software specialists that has managed to break the system is called “Synacktiv”, and is of French origin. They used a “TOCTOU” type of attack to gain access to the vehicle, which basically consists of altering internal system files to gain access to the EV. The hackers modified the files that guarantee that whoever accessed the vehicle was the one who could in fact have full physical access; i.e. asking for login credentials. The type of attack employed uses the time difference between the time the system checks the files and the time a person actually logs in. This earned them an interesting prize of $100,000, but later they successfully passed yet another test, at an even more advanced level.
This same team again managed to penetrate the Tesla infotainment system, one of the most difficult and most rewarding sections in the hacking competition. So much so that it was actually the first time in the history of the event that someone has won a “Tier 2” category award there. The total prize for the group of hackers has been very succulent: a Tesla Model 3 and $250,000 in cash, certainly a very handsome reward for the software - ethical - hacking effort.
It is not the first time Tesla has agreed to participate in the Pwn2Own initiative, which is one of the most famous “hacking” events in the world of software engineering. It involves teams of computer hackers who try to violate some of the most popular programs and systems in the world, divided into many different levels and objectives.
Tesla has come to offer $700,000 to whoever manages to completely hack one of its cars and penetrate the deepest part of the vehicle's software the hard way; although so far no one has succeeded. As a matter of fact some subsystems have actually been penetrated, with rewards ranging between 35,000 and 200,000 dollars, depending on the level of difficulty. It is worth noting that, whenever that has been the case, Tesla has responded promptly by quickly fixing the bug with a solid software update.
Sources: zerodayinitiative & synacktiv, hibridosyelectricos
All images courtesy of Tesla Inc.
Nico Caballero is the VP of Finance of Cogency Power, specializing in solar energy. He also holds a Diploma in Electric Cars from Delft University of Technology in the Netherlands, and enjoys doing research about Tesla and EV batteries. He can be reached at @NicoTorqueNews on Twitter. Nico covers Tesla and electric vehicle latest happenings at Torque News.