Tesla Model 3: Hack It To Win It
Another reason to pwn all the things.
Here’s one more way to get your hands on a Tesla Model 3: just break into it. No, not like some common everyday street criminal. Rather, like a hot pocket-eating 15-year old computer nerd. Facile stereotypes aside, we are serious, though. Trend Micro’s Zero Day Initiative (ZDI) Pwn2Own is a competition that matches computer security researchers against certain targets, rewarding the most successful with prizes. This year, the contest gets an automotive category, and its new target, a mid-size Mid Range rear-wheel drive Tesla sedan, is also one of the prizes.
It’s all going down at this year’s CanSecWest Vancouver conference in March. Participants can win a number of cash prizes — some up to $250,000 — by discovering vulnerabilities. Some areas of attack include the infotainment system, modem or tuner, and key fobs or phone-as-key. That latter bit of hardware, the fob, was compromised by researchers as recently as last September. Along with stacks of cash, the first-round winner of the automotive category gets the car.
The concept of the automaker paying out to software fault-finders isn’t new, of course. Back in 2015, Tesla invited hackers to have a go at the Model S during DEF CON 23. The company also runs a bug bounty program and recently increased its scope and payout. Additionally, if you mess up your car’s systems while running down a vulnerability, Tesla will do what they can through an update or “reflash” to bring your car back to normal.
It’s hoped that by allowing white-hat hackers to climb all over their code, any holes in the matrix can be sealed and solved before more nefarious types can take advantage of system weaknesses. If you have the sort of skills that might be put to good use, we have the events official press release just below this list of Model 3 targets and prizes.
Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global leader in cybersecurity solutions, today announced its spring vulnerability research competition, Pwn2Own Vancouver, run by Trend Micro’s Zero Day Initiative™ (ZDI). This year’s contest includes an entirely new automotive category, through a partnership with Tesla, as well as a continued partnership with Microsoft and sponsorship from VMware. Collectively, more than $1 million in cash and prizes is available for researchers through the contest.
Continuing the IoT focus of the recent Pwn2Own Tokyo, which added consumer IoT devices to the contest’s targets, this year’s Pwn2Own Vancouver expands to include a Tesla Model 3, the best-selling luxury vehicle in the U.S. last year, to the target list. Tesla pioneered the concept of bringing over-the-air software updates to automobiles in 2012, and since then, the company has issued hundreds of over-the-air updates that have made Tesla cars smarter, faster, safer and more enjoyable to drive. Tesla’s involvement in the competition marks a new step in the era of connected devices.
“Since 2007, Pwn2Own has become an industry-leading contest that encourages new areas of vulnerability research on today’s most critical platforms,” said Brian Gorenc, senior director of vulnerability research for Trend Micro. “Over the years we have added new targets and categories to direct research efforts toward areas of growing concern for businesses and consumers. This year, we’ve partnered with some of the biggest names in technology to further this commitment and continue driving relevant vulnerability research.”
The partnerships add new platforms to the contest’s well-known list of targets, including virtualization platforms, enterprise applications, web browsers, and more. The full list of targets includes:
- Automotive Category
- Tesla Model 3
- Virtualization Category
- Oracle VirtualBox
- VMware Workstation
- VMware ESXi
- Microsoft Hyper-V Client
- Browser Category
- Google Chrome
- Microsoft Edge
- Apple Safari
- Mozilla Firefox
- Enterprise Applications Category
- Adobe Reader
- Microsoft Office 365
- Microsoft Outlook
- Server-side Category
- Microsoft Windows RDP
“We develop our cars with the highest standards of safety in every respect, and our work with the security research community is invaluable to us. Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle – we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community,” said David Lau, Vice President of Vehicle Software at Tesla. “We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems.”
“It’s inspiring to see some of today’s leading tech companies taking the initiative to secure their products by leveraging the incredibly talented minds participating in Pwn2Own,” Dragos Ruiu, CanSec West event organizer. “The target list for the contest is certainly impressive, and I’m excited to see what kinds of creative solutions researchers will demonstrate during the competition.”
This year’s expansion in Pwn2Own furthers Trend Micro’s focus on securing the connected world by partnering with major vendors in this space. The company recently announced several other initiatives in this vein, including a joint venture agreement with Moxa Inc. and a program to help IoT device makers tackle security during manufacturing.