Tesla Is Target & Prize in White Hat Hacker Contest

A lucrative annual hacking contest is offering participants up to $250,000 to break into or take over a Tesla Model 3 sedan with one winner taking home the car.

The Pwn2Own competition will be held at the CanSecWest cyber-security conference in Vancouver, which starts March 20. Pwn2Own is presented by the Zero Day Initiative, a program that rewards security researchers for uncovering vulnerabilities. The security holes that the winners discover aren’t disclosed until the vendors of the affected products have been able to fix them.

In addition to its partnership with Tesla, ZDI hopes to encourage more research into automotive security.

Contestants will try to take over the Tesla’s Autopilot or block access to it, remotely unlock or start the car and take control of its wireless modem, among other tasks. There are $900,000 in prizes up for grabs, ranging from $35,000 for breaking into the infotainment system to $250,000 for the Autopilot hack.

The rise of connected cars has triggered fears of remote takeovers and sabotage that might cause deadly collisions or immobilize thousands of vehicles. Engine control units (ECUs) that can exchange data over the Internet and components such as infotainment systems that are Internet-connected and linked to more critical systems, are expected to increase the risk of vehicle hacking.

Some attacks have already been demonstrated, including a 2015 attack in which researchers took control of a Jeep Cherokee. Keen Security Lab, part of the China-based Internet giant Tencent, has demonstrated attacks against Tesla vehicles using vulnerabilities that the lab said it reported to Tesla. In a video, the researchers showed what they said was forced braking from 12 miles away.

Tesla has been a keen adopter of connected vehicle technology like over-the-air software updates and remote vehicle monitoring but its ongoing enhancements of vehicles in the field have raised some safety concerns.

A look at the Pwn2Own contest rules conjures a list of attacks that could be frightening if a contestant proved they were possible.

For example, Pwn2Own is looking for attacks that will make the car talk to a rogue basestation or other malicious entity to force code execution using features such as the WiFi or Bluetooth network, the modem, or Autopilot. It expects infotainment system hackers to force the system to browse to malicious content. And successful attacks against the key fob, or a phone used as a key, would be able to unlock or start the Tesla arbitrarily or execute code (A “key fob relay,” which requires close proximity to the car, won’t count).

ZDI is offering add-on prizes for two accomplishments related to other hacks. A hacker whose malicious payload can maintain persistence on the hacked system even after it’s rebooted will get an additional $50,000. An attacker who takes over the car’s CAN bus, the network that links the car’s ECUs, will get an extra $100,000.

Stephen Lawson is a freelance writer based in San Francisco. Follow him on Twitter @sdlawsonmedia.

Leave a comment

Your email address will not be published. Required fields are marked *