Illustration: Aïda Amer/Axios
Researchers at French cybersecurity firm Synacktiv are walking away with $350,000 and a new Tesla after hacking into a Tesla Model 3's energy management and infotainment system during a hackathon this week.
Driving the news: During this week's Pwn2Own hacking competition in Vancouver, Canada, hosted by Trend Micro's Zero Day Initiative, security teams have broken into Teslas, Microsoft's Windows 11 and Apple's macOS.
The big picture: The Zero Day Initiative works with vendors like Tesla to create a series of hacking challenges for participants to try to overcome.
- The challenges vary in difficulty: For the Tesla challenge, the easiest task involved exploiting the car's Bluetooth/Wi-Fi systems and the hardest would have resulted in a takeover of the Tesla's autopilot feature.
Details: Synacktiv's research team was able to exploit two vulnerabilities in the Tesla Model 3 — one in the Gateway energy management system and the other in the infotainment center — to gain just enough access to the car's controls that driving would be unsafe.
- In the campaign targeting the Gateway, Synacktiv's team was able to open the front of the car, as well as the doors, while the vehicle was in motion.
- To target the infotainment center, the team exploited a flaw in the Bluetooth chip set to gain what's known as "root access," which typically means intruders have the ability to download apps and other device-specific controls.
- The competition wasn't conducted on the actual vehicle itself over fears that it could impact other nearby Teslas or result in hackers being able to move the vehicle through the conference center, Dustin Childs, head of threat awareness at the Zero Day Initiative, told Axios.
The intrigue: Tesla, which is a sponsor of the Pwn2Own competition, was on-site to learn about the security flaws hackers found so they could start working on patches.
What's next: Tesla is expected to issue a patch to fix the bug hackers found within the next three months, although Childs said the automaker has historically released patches from previous Pwn2Own competitions earlier than that.
Sign up for Axios’ cybersecurity newsletter Codebook here
Source: Read Full Article