Pwn2Own contest will pay $ 900,000 for hacks that exploit this Tesla


Image of a blue sedan against a white background.

Pwn2Own has been the top hacking contest for over a decade, with cash prizes paid for by farms that compromise the security of all types of devices and software. Browsers, virtual machines, computers and phones have been a fair game. Now in its 13th year, the competition is adding a new category – a Tesla Model 3, with more than $ 900,000 in prizes available for attacks that subvert a variety of its embedded systems.

The highest prize will be $ 250,000 for hacks that run code at the car's gateway, on autopilot, or at VCSEC. A gateway is the central hub that interconnects the power train, chassis and other components of the car and processes the data they send. Autopilot is a driver assistant feature that helps you control track changes, parking, and other steering functions. Short for the Secondary Controller Controller, the VCSEC is responsible for security functions, including the alarm.

These three systems represent the most critical parts of a Tesla, so it's not hard to understand why the hacks that target them are eligible for such large payments. To qualify, farms must force the gateway, autopilot, or VCSEC to communicate with an unauthorized base station or other malicious entity. Meanwhile, a denial of service attack that takes autopilot out of the car will pay $ 50,000.

Pwn2Own will pay $ 100,000 for hacks that attack Tesla's key-ring or Key-to-Key, running code execution, unlocking the vehicle or powering the engine without using the key. The competition will also pay an additional $ 100,000 prize to win hacks in another category that attacks the car control area network, or the CAN bus. This system allows microcontrollers and devices to communicate with each other.

However, another category of hacks will target Tesla's infotainment system. Hacks that escape the security sandbox or escalate privileges to root or access the operating system kernel will fetch $ 85,000. Otherwise, an infotainment hack will receive $ 35,000.

Finally, Wi-Fi or Bluetooth hacks pay $ 60,000. A separate overpayment of $ 50,000 will be paid for winning hacks that gain persistence, which means they maintain root access even after a reboot.

Hacking exposed

Pwn2Own has long attracted attention because it gives many hackers the incentive they need to participate in exploits that otherwise would never see the light of day. Most of the time, hacks of this caliber are sold only privately to exploit brokers or reported particularly in bounty reward programs.

Pwn2Own is hosted twice a year and sponsored by Trend Micro's Zero Day Initiative. ZDI reports in particular the vulnerabilities to responsible vendors. These details are kept secret until the vulnerabilities are fixed.

In addition to Teslas, other categories include virtualization, with a $ 250,000 award for a successful client-host and $ 150,000, $ 70,000, and $ 35,000 client-host escalation for VMware ESXi hacks, VMware Workstation and Oracle VirtualBox respectively. A Web browser category will pay $ 80,000 for Chrome and Microsoft Edge hacks with a specific Windows Defender Application Guard escape. A Firefox exploit will pay $ 40,000.

The competition will take place in March at the CanSecWest conference in Vancouver. More details on the contest are here.


Source link