Pwn2Own Reveals a Tesla Bluetooth to Root Hack

Pwn2Own is a computer hacking contest held annually or bi-annually since 2007 operated by Zero Day Initiative (ZDI) and featured at the CanSecWest security conference held in Vancouver, British Columbia, Canada. The contest allows the world's best IT researchers and practitioners to demonstrate standard software and hardware security vulnerabilities. 

In short? If you are excited by hacking, Pwn2Own is the cybersecurity equivalent of the Superbowl.

Pwn2Own participants are given a set of targets, including web browsers, operating systems, and mobile devices before being challenged to exploit known or unknown zero-day vulnerabilities in an attempt to gain complete control of the target. Prizes are awarded to successful breaches, typically consisting of a cash reward and the target system itself... hence the competition's name: Pwn2Own.

(Of course, for the uninitiated, the word "pwn", pronounced "pone", s hacker slang from the early 2000s roughly translated as "exploit!")

Pwn2Own has also helped to raise awareness of the importance of cybersecurity, including operational technology security (OT), and the need for secure coding practices and application security assessments.

So what made 2023's event so interesting, especially when it comes to root hacks? Well...

Two Tesla Exploits Discovered At PwnToOwn 2023

Although cyberattacks against vehicles aren't a new concept, the recent spike in vehicle hacking was added to this year's Pwn2Own as a team of French researchers gained two exploits against the Tesla Model 3. One of the exploits took less than two minutes and gave the Synacktiv hacking team root access to automotive subsystems that control the vehicle's safety and other components. 

Considering that the Tesla Model 3 is equipped with a suite of driver-assistance systems (ADAS) for semi-autonomous capabilities such as adaptive cruise control, automatic lane centering, and automatic emergency braking, the potential damage that could be caused by this hack is shockingly severe.

It was quite remarkable how quickly and thoroughly the winning Synacktiv team could breach the Tesla Model 3. Let's take a look at the exploit details:

The First: TOCTTOU Exploit 

The first Tesla exploit involved leveraging a time-of-check-to-time-of-use (TOCTTOU) vulnerability in Tesla's Model 3 Gateway energy management system (EMS). To demonstrate the power of the exploit the team showed opened the trunk of the car while it was in operation, they also claimed the exploit gave them virtually unlimited ability to compromise all functions of the automobile. 

TOCTTOU are flaws in the way software or hardware is designed. They occur when an attacker can change the state of a variable between the time that a logic flow checks its state, and when a sensitive action happens based on that state.

One common place that attackers try to exploit them is to double-spend funds in e-commerce web applications. Another way they can have a particularly destructive impact is when they can be used to circumvent access controls and privilege escalation, which was the case in the Tesla Model 3 Bluetooth hack. 

The Synacktiv team was rewarded with a new Tesla Model 3 and $100,000 in cash for this particular exploit.

The Second: Combination Exploit

Synacktiv's second exploit attacked the car's Bluetooth chipset directly and used a combined heap overflow vulnerability and an out-of-bounds write error to break into the Model 3's dashboard entertainment system. From that initial entry point, the team was further able to again gain root access to other subsystems including the core automotive functions of the car.

A combination attack, also known as "exploit chaining", involves using multiple exploits or attack techniques in sequence to achieve the malicious ultimate goal.  Typically one exploit is not good enough for an attacker to achieve their goals, and cyberattacks can be broadly split into a "first stage" when an attacker gains initial access to a target system, and a "second stage", when the attacker works towards their end-game by conducting internal reconnaissance, stealing information, compromising the network to infect additional hosts, and potentially deploying ransomware.

A heap overflow occurs when a program writes data beyond the end of a buffer allocated on the heap - a region of memory that is used for dynamic memory allocation, and an out-of-bounds write occurs when a program writes data beyond the allocated bounds of an array or buffer on the stack or global memory. In both cases, these can be exploited when attackers supply malformed input to a program that does not sanitize it properly.

The Pwnees were awarded a handsome $250,000 USD and were granted the host competition's first-ever Tier 2, reserved for highly impactful vulnerabilities and exploits.

Conclusion

The annual Pwn2Own is one of the world's most prestigious hacking competitions. This year, it delivered on its promise and purpose: to uncover the world's most dangerous IT vulnerabilities. That includes not only the wireless takeover of an automobile to hacking the most common software that protects our cities and personal data.

As concerning as it might be that the Tesla Model 3, equipped with a suite of advanced driver-assistance systems (ADAS) and semi-autonomous driving capabilities, was compromised entirely wirelessly, it's one less attack that can take place in the wild.

Ready to take this lesson onboard for your own organization? Contact our team today or download our Buyer's Guide today.