SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Tesla wants people to hack its Model 3
Tue, 15th Jan 2019
FYI, this story is more than a year old

Tesla is offering white hat hackers what could be the chance of a lifetime – the opportunity to hack one of its Model 3 vehicles.

Tesla joins Microsoft and VMware as partners in this year's Pwn2Own contest in Vancouver, Canada, which will be held in March.

According to Tesla's vice president of vehicle software David Lau, the company's work with the security research is invaluable, particularly since the company strives to develop its cars with the highest safety standards “in every respect”.

“Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle – we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community,” says Lau.

In the Tesla Model 3 category, there are a number of target systems, including WiFi and Bluetooth systems, infotainment, autopilot, key fob and phone-as-a-key systems, modem or tuner, and others. The largest prices will be awarded to those who find vulnerabilities in the vehicle's ‘Gateway, Autopilot, or VCSEC systems, which could net participants up to $250,000. On top of that, the grand winner will also win a Tesla Model 3.

“We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems,” continues Lau.

The full list of targets in this year's contest include the Tesla Model 3, Oracle VirtualBox, VMware Workstation, VMware ESXi, Microsoft Hyper-V Client, Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox, Adobe Reader, Microsoft Office 365, Microsoft Outlook, and Microsoft Windows RDP.

“With the recent announcement of Microsoft moving to a Chromium-based engine, exploits on Google Chrome definitely earn a premium over Edge, Safari, and Firefox,” says Pwn2Own.

“A browser exploit ranges from $40,000 for Firefox up to $80,000 for Chrome. We're also offering $80,000 for anyone who can successfully exploit Edge with a Windows Defender Application Guard (WDAG) specific escape from the WDAG container to the host OS – something we've never seen at Pwn2Own before.

“Contestants can add on another $70,000 if they escape the virtual machine and execute code on the host OS. Some say the browser is the gateway to the cloud. It's certainly the gateway to online shopping. Either way, bugs in these products have a broad impact.

Collectively, more than $1 million in cash prizes could be awarded to participants.

“Over the years we have added new targets and categories to direct research efforts toward areas of growing concern for businesses and consumers. This year, we've partnered with some of the biggest names in technology to further this commitment and continue driving relevant vulnerability research,” comments Trend Micro senior director of vulnerability research, Brian Gorenc.

Trend Micro also says it is working with the competition with the focus of expanding its focus on securing the connected world by partnering with major vendors.