Bottom line: Hackers hacked a Tesla Model 3 using a trinity of exploits. Tesla says that the weaknesses only allowed the attackers to operate non-vital functions and that they could not use them to gain access to the engine or other driving features. The security researchers say they think they could but don’t have proof yet. The back and forth is all a moot point, though, since Tesla has patches on the way.
Last week, researchers at Pwn3Own 2023 found three vulnerabilities in a Tesla Model 3 to win $140,000 and the car. The exploits allowed the team from security firm Synacktiv to control some functions of the vehicle remotely, including operating the lights, horn, windshield wipers, infotainment center, and opening the trunk lid.
The first vulnerability was a Bluetooth hack that gave them a foot in the door. The second was an exploit that granted the hackers root privileges to at least one of the Model 3’s systems allowing them to execute arbitrary code. The third weakness compromised the “security gateway,” which handles some commands sent to the car.
As is customary for the Pwn2Own event, host Trend Micro informed Tesla of the zero-day exploits so it would have a chance to plug the holes before publicly announcing the details of the hacks about 90 days from now. Tesla told Synacktiv that although its team could access some rudimentary functions that would, at worst, annoy the owner, it still would not have been able to execute vital functions like turning the engine on or operating the steering wheel.
However, Eloi Benoist-Vanderbeken, one of Synacktiv’s reverse engineers, indicated that Tesla’s assumption might not be valid.
“[Tesla] said we wouldn’t be able to turn the steering wheel, accelerate, or brake. But from our understanding of the car architecture, we are not sure that this is correct, but we don’t have proof of it,” Benoist-Vanderbeken told TechCrunch.
According to the security expert, the team does not have access to a Tesla, even though it won the hacked Model 3 at the event. He did not mention why they don’t have the car but noted that his team looks forward to fact-checking Tesla’s claim.
While Tesla has not commented publically on the vulnerabilities, it indicated that its developers are working on patches that should roll out in an over-the-air update soon. To the car company’s credit, the Synacktiv team said Tesla is “doing a good job” of hardening its systems.
One of the team’s trickier roadblocks was a “mature” system of sandboxes that locks off one component from another. Such compartmentalization prevents attackers from accessing one system by compromising another. Synacktiv Cyber Security Engineer Vincent Dehors compared Tesla’s security to mobile web browsers.
“It’s not at the point of a modern browser running on an iPhone or an Android, but it’s not that far from it,” Dehors said. “Tesla cars are really well connected to the internet, so they need to take care of security because they are likely to be targeted more than other cars.”
It’s worth mentioning that Synacktiv crushed the competition and took home the title of “Masters of Pwn” in the three-day event. The pro pen testers managed to eclipse second-place finisher Star Labs, 53 to 19.5, winning over half a million of the $1,035,000 prize pool, plus the Tesla Model 3.