Tesla Model 3 Pwn2Own'd
Written by Alex Armstrong   
Friday, 29 March 2019

Team Fluoroacetate was the only one to attempt to hack the Tesla Model 3 at the recent Pwn2Own contest held in conjunction with the annual CanSecWest security contest earlier this month. Their hack was successful enabling them to drive the prize away. 



As reported at the start of the year a new automotive category was added to mix for the latest Pwn2Own with the Tesla Model 3 promised to the first cybersecurity researcher who could hack the car's computer system.. Six possible targets of varying difficulty on the Tesla Model 3 were specified. These augmented the more familiar targets that security researchers have previously tackled, with winners taking away the laptops used to perform the hacks as well as prize money:

  • Virtualization Category - Oracle Virtual Box, VMware ESXi  VMWare Workstation, Microsoft Hyper-V Client
  • Web Browsers Category - Chrome, Edge, Safari, Firefox
  • Enterprise Applications Category -  Adobe Reader, Microsoft Office 365 ProPlus, Microsoft Outlook
  • Server Side Category - Microsoft Windows RDP

Successful hacks also clock up Master of Pwn points and the contestants with the most points at the end of the contest take home the trophy.

Pwn2Own 2019 took place over 3 days. Day One opened with Team Fluoroacetate, Amat Cama and Richard Zhu, targeting the Apple Safari web browser.


According to Dustin Childs on the Zero Day Initiative blog,

They successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape.

Their success earned them $55,000 USD and 5 points towards Master of Pwn.  

The duo then targeted Oracle VirtualBox. After a first attempt in which their code execution failed, second time around they successfully used an integer underflow and a race condition, earning $35,000 and 3 more Master of Pwn points. 

Next they targeted the VMware Workstation, using a race condition leading to an Out-Of-Bounds write to go from the virtual client to executing code on the underlying host operating system. They earned $70,000 USD and 7 additional Master of Pwn points, bringing their Day One total to $160,000 and 15 Master of Pwn points.

On Day Two Fluoroacetate first set about Firefox. They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website. The effort earned them another $50,000 and five more points towards Master of Pwn.

Next they returned with what the ZDI blog described as: 

perhaps their greatest challenge of the competition.


Starting from within a VMware Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page. That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation. The masterfully crafted exploit chain earned them $130,000 and 13 Master of Pwn points.

By the end of Day 2 Team Fluoroacetate had amassed out of a total of $340,000, two-thirds of the $510,000 awarded to all contestants, and had a commanding lead of 33 points. 

It had been expected that two teams would compete in the automotive category, the only event on Day Three but Team KunnaPwn withdrew its entry just prior to contest leaving team Fluoroacetate as the sole contender. They had chosen the softest of the available Tesla 3 targets worth $35,000 and 3 Master of Pwn Points and used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its Infotainment system.

Undertaking to release a software update that addresses this vulnerability,  a Tesla spokesperson commented

"We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today."

So with a total of 36 "Master of Pwn" points and $375,000 in prize money, Amat Cama and Richard Zhu, were the decisive winners of this year's Pwn2Own.



Team Fluoroacetate left Vancouver with five laptops and the trophy, to put beside the one they received at Pwn2Own Tokyo conference in November 2018,safely stowed in the trunk of the Tesla Model 3. 


More Information

Pwn2Own Vancouver 2019 Day One Results

Pwn2Own Vancouver 2019 Day Two Results

Pwn2Own Vancouver 2019 Wrapping up and rolling out

Rules For Pwn2Own Contest

Related Articles

Pwn2Own Contest To Win A Tesla

Microsoft Edge Falls Victim At Pwn2Own

Get Ready for Expanded Pwn2Own 2017

Pwn2Own 2016 - The Results

Largest Payout Ever At Pwn2Own 2015 


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Deno Improves JSR Support

Deno has been updated to improve JSR support, and to build on the Temporal API introduced in version 1.4.  Deno is the JavaScript and TypeScript runtime from the creator of Node.js.

GR00T Could Be The Robot You Have Always Wanted

We may not have flying cars, but we could well soon have robots that match up to predictions for the 21st century. Nvidia has announced GR00T, a cleverly named project to build robots using foundation [ ... ]

More News

raspberry pi books



or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 29 March 2019 )