image

Tesla Hacked 4 Times In One Day

Although we are much more used to reading about passwords being stolen by the billion, threat actors targeting our smartphones, and the occasional hardware hack pointed at things such as our routers, that’s not the be all and end all of the hacking threat. Your car is also on the hacking radar, as a recent report regarding security 13 vulnerabilities impacting Mercedes-Benz owners detailed. Now, Tesla owners are in the spotlight as hackers managed to successfully compromise the brand no less than four times in a single day of hacking frenzy. Here’s what happened, and why. 

Hackers Make $129,500 In One Day Of Attacking Tesla Targets

Pwn2Own is a competitive hacking event with a long and noble history stretching back to 2007; that it attracts some of the best ethical hackers and security researchers on the planet is a testament to its reputation. These hackers gather to see who can be the first, running against the clock, to successfully hack a variety of targets from smartphones to printers and routers using a zero-day compromise. That is an exploit using a vulnerability that is unknown to the vendor. For the second year running, Pwn2Own, organized by the Trend Micro Zero-Day Initiative, has seen an automotive exclusive event. Last year, Pwn2Own Automotive earned the hackers taking part an incredible $1,323,750 in rewards over the three-day competition. This year’s event, running from Jan. 22 to Jan. 24 in Tokyo, is being co-sponsored by Tesla and has brought the Tesla wall charger to the hacking table.

The Four Tesla Hacks Explained

Although the full technical details of the exploits used and the vulnerabilities exploited will not be released for 90 days to give Tesla ample time to deploy a fix, here’s what we know about the zero-day hackers targeting Tesla on day two of the Pwn2Own Automotive event. 

The PHP Hooligans hacking team was able to use a zero-day exploit to take over the Tesla Wall Connector and crash it. This was, we are told, done using a “Numeric Range Comparison Without Minimum Check bug (CWE-839)” which earned them a bounty of $50,000.

A hacking team from Synacktiv used a logic bug, as part of an exploit chain, in order to compromise the Tesla Wall Connector via the charging connector. Described as “outstanding and inventive research” the hackers were awarded a $45,000 bounty.

Although not zero-days as such, but rather known as collisions as the exploits used a previously known vulnerability as part of the compromise, two further teams successfully attacked Tesla.

Radu Motspan, Polina Smirnova and Mikhail Evdokimov from the PC Automotive team successfully exploited the Tesla Wall Connector earning $22,500.

Sina Kheirkhah of the Summoning Team, meanwhile, used a two-vulnerability chain to exploit the Tesla Wall Connector earning $12,500 in the process.