Tesla is an electric car that has Internet access. This is what is of great benefit to the car (OTA updates), but at the same time it makes people worry (after all, someone may be able to gain access to control your car).
Tesla has always raised the issue of security to an exceptionally high level, this applies to both physical security and cyber security. Every year Tesla invests more and more in its cybersecurity.
Since 2007, in Vancouver, the Pwn2Own contest has been held.
"As each new year starts, we at the Zero Day Initiative begin to think of spring and the Vancouver edition of the Pwn2Own contest. It was in Vancouver where the contest began back in 2007 and continues to be where we push the research community and ourselves with new challenges. What do we want to see demonstrated? What products should we focus on?"
Last year, Tesla has already taken part in this competition. The organizers wanted to include Tesla, because the company first proposed the concept of a connected car and wireless updates almost ten years ago, and since then they have been leaders in this field. Two hackers participating at the event were able to find a vulnerability with the Model 3’s browser, allowing them to win the vehicle and over $ 350,000 in prize money.
Last year was the first year for the Automotive category, and Tesla return as partner for 2020. The upcoming Pwn2Own event will be held at the CanSecWest conference, which is scheduled to run from March 18-20, 2020. However, the organizers wanted to up the level of complexity for this year’s event. Tesla vehicles are equipped with multiple layers of security, and this time around, there are three different tiers of awards within the Automotive category that correspond to some of the different layers of security within a Tesla car, with additional prize options available in certain instances.
Tier 1 earns the top prizes and represents a complete vehicle compromise. Correspondingly, this also has the highest award amounts. To win this level, a contestant will need to pivot through multiple systems in the car, meaning they will need a complex exploit chain to get arbitrary code execution on three different sub-systems in the vehicle. Success here gets a big payout and, of course, a brand-new Tesla Model 3.
In addition to the vehicle itself and $500,000, contestants can go for the additional options to raise the payout to $700,000. This represents the single largest target in Pwn2Own history. If someone is able to do this, it would also mean 70 total Master of Pwn points, which is nearly insurmountable. Here’s some additional info on the optional add-ons.
Tier 2 is not quite as complex but would still require the attacker to pivot through some of the vehicle’s sub-systems. This level requires the contestant to get arbitrary code execution on two different sub-systems in the vehicle, which is certainly a difficult challenge. If you include the optional targets, the largest payout for Tier 2 would be $500,000. A wining entry in Tier 2 would still be a pretty impressive and exciting demonstration, and includes driving off with the Model 3.
The targets in Tier 3 are just as difficult, but you only need to compromise one sub-system for a win here, which is still no easy task. Not every instance within Tier 3 includes winning the car. To drive away with a Tier 3 prize, a contestant would need to target one of the entries marked “Vehicle Included” in the table below.
Tables provided by Pwn2Own. For more details on the contest rules, please click here.
Tesla has always been more than just a car company, and this is what makes its vehicles so different from all other cars. The company's participation in such an event only proves this. Tesla cars are equipped with proprietary software and hardware that takes them to a completely new level.
Back in 2014, the company launched its Bug Bounty program, which hackers were invited to participate in. They were asked to find bugs in car software for a fee. Tesla's efforts have largely paid off, as several security features, such as PIN-to-Drive, have now been developed as a result of the Bug Bounty program.
Featured image: Tesmanian
Follow me on Twitter Eva Fox 🦊