Tesla Model 3 hacked at the 2023 Pwn2Own hacking competition.
Play the article!

Tesla Model 3 hacked at the 2023 Pwn2Own hacking competition.

Synacktiv team from France achieved remote penetration of the Tesla Model 3 at the 2023 Pwn2Own hacking competition, allowing them to break into the IVI system from a remote location and further break into the Gateway inside the car, realizing the ultimate goal of hackers - remote control over the car.

VicOne, a leading provider of automotive cybersecurity solutions, has made an announcement today that its security researchers participated in the observation team at the 2023 Pwn2Own hacking competition. This prestigious event is run by the Zero Day Initiative of Trend Micro, a company that focuses on detecting and preventing cyber threats.

At this year’s Pwn2Own event, the Synacktiv team from France successfully uncovered Zero Day vulnerability exploits against the Tesla Model 3, which earned them the championship title and a grand prize of $530,000 in addition to a Tesla Model 3 electric vehicle.

Apart from uncovering vulnerabilities in the Tesla Model 3, the complex new scenarios identified by participants at Pwn2Own competitions provide valuable insights that help automotive OEMs and Tier 1 suppliers prepare for similar attacks in the real world.

During the Pwn2Own hacking competition, the Synacktiv team demonstrated their prowess by uncovering three zero-day vulnerabilities and executing two attack scenarios against the Tesla Model 3.

In the first attempt on day one of the competition, the team targeted the Gateway of the Tesla Model 3 and exploited a time-of-check to time-of-use (TOCTOU) issue, which enabled the transmission of arbitrary CAN bus messages. This hack took less than two minutes to complete, demonstrating the vulnerability of the Gateway.

The team’s next entry qualified for Pwn2Own’s first-ever Tier 2 award. Synacktiv successfully compromised two subcomponents of the Tesla, namely the Bluetooth/Wi-Fi chipset and the IVI system, to gain root access. They also exploited a heap overflow and out-of-bounds write zero-day vulnerability in the IVI system through a Bluetooth attack. This allowed them to overwrite the IVI system screen with a custom image and gain root-level code execution on the IVI system.

After demonstrating the IVI system vulnerability, Synacktiv attempted to combine both zero-day exploits into one exploit chain. This effort took about four minutes, and the team was able to exploit both vulnerabilities and gain access to the IVI system via a remote Bluetooth attack. Using the IVI system, they sent CAN bus messages to the Gateway, ultimately achieving remote control over the car.

The combination of these two zero-day exploits in the competition achieved remote penetration of the vehicle, allowing Synacktiv to break into the IVI system from a remote location and further break into the Gateway inside the car, realizing the ultimate goal of hackers - remote control over the car. The demonstration of these vulnerabilities highlights the importance of automotive cybersecurity and the need for automakers to improve their security measures to protect against such attacks.

Pwn2Own is a biannual hacking conference that provides a platform for researchers to showcase their expertise in uncovering weaknesses and vulnerabilities in connected products. Through their demonstrations, the researchers compete for prizes, which often include the devices they have successfully hacked. The participating brands also benefit from the event by receiving information on vulnerabilities in their products, which they can then address to improve their security.

As part of efforts to enhance the security of connected vehicles, Zero Day Initiative is set to expand the Pwn2Own competition by launching Pwn2Own Automotive in 2024, and VicOne will be an integral part of this initiative. The upcoming event will be solely dedicated to automotive security vulnerabilities and will be held during the next Automotive World Conference in Tokyo from January 24-26. The event provides a unique opportunity for automotive manufacturers and other stakeholders to identify and address vulnerabilities in connected vehicles, ultimately leading to a more secure and trustworthy ecosystem.

Also Read: Tesla confirms record Q1 2023 production and delivery numbers, beating expectations.

Click here and follow us on Google News for regular EV updates.

Spread the love

2 thoughts on “Tesla Model 3 hacked at the 2023 Pwn2Own hacking competition”

  1. Pingback: Ford releases the 2023 Integrated Sustainability and Financial Report - Electrikez

  2. Pingback: EV charging industry poised for explosive growth as market set to reach $100B by 2040 - Electrikez

Leave a Comment

Your email address will not be published. Required fields are marked *