|Tesla Model 3 Pwn2Own'd|
|Written by Alex Armstrong|
|Friday, 29 March 2019|
Team Fluoroacetate was the only one to attempt to hack the Tesla Model 3 at the recent Pwn2Own contest held in conjunction with the annual CanSecWest security contest earlier this month. Their hack was successful enabling them to drive the prize away.
As reported at the start of the year a new automotive category was added to mix for the latest Pwn2Own with the Tesla Model 3 promised to the first cybersecurity researcher who could hack the car's computer system.. Six possible targets of varying difficulty on the Tesla Model 3 were specified. These augmented the more familiar targets that security researchers have previously tackled, with winners taking away the laptops used to perform the hacks as well as prize money:
Successful hacks also clock up Master of Pwn points and the contestants with the most points at the end of the contest take home the trophy.
Pwn2Own 2019 took place over 3 days. Day One opened with Team Fluoroacetate, Amat Cama and Richard Zhu, targeting the Apple Safari web browser.
According to Dustin Childs on the Zero Day Initiative blog,
They successfully exploited the browser and escaped the sandbox by using an integer overflow in the browser and a heap overflow to escape the sandbox. The attempt nearly took the entire allowed time because they used a brute force technique during the sandbox escape.
Their success earned them $55,000 USD and 5 points towards Master of Pwn.
The duo then targeted Oracle VirtualBox. After a first attempt in which their code execution failed, second time around they successfully used an integer underflow and a race condition, earning $35,000 and 3 more Master of Pwn points.
Next they targeted the VMware Workstation, using a race condition leading to an Out-Of-Bounds write to go from the virtual client to executing code on the underlying host operating system. They earned $70,000 USD and 7 additional Master of Pwn points, bringing their Day One total to $160,000 and 15 Master of Pwn points.
On Day Two Fluoroacetate first set about Firefox. They leveraged a JIT bug in the browser, then used an out-of-bounds write in the Windows kernel to effectively take over the system. They were able to execute code at SYSTEM level just by using Firefox to visit their specially crafted website. The effort earned them another $50,000 and five more points towards Master of Pwn.
Next they returned with what the ZDI blog described as:
perhaps their greatest challenge of the competition.
Starting from within a VMware Workstation client, they opened Microsoft Edge and browsed to their specially crafted web page. That’s all it took to go from a browser in a virtual machine client to executing code on the underlying hypervisor. They started with a type confusion bug in the Microsoft Edge browser, then used a race condition in the Windows kernel followed by an out-of-bounds write in VMware workstation. The masterfully crafted exploit chain earned them $130,000 and 13 Master of Pwn points.
By the end of Day 2 Team Fluoroacetate had amassed out of a total of $340,000, two-thirds of the $510,000 awarded to all contestants, and had a commanding lead of 33 points.
It had been expected that two teams would compete in the automotive category, the only event on Day Three but Team KunnaPwn withdrew its entry just prior to contest leaving team Fluoroacetate as the sole contender. They had chosen the softest of the available Tesla 3 targets worth $35,000 and 3 Master of Pwn Points and used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its Infotainment system.
Undertaking to release a software update that addresses this vulnerability, a Tesla spokesperson commented
"We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today."
So with a total of 36 "Master of Pwn" points and $375,000 in prize money, Amat Cama and Richard Zhu, were the decisive winners of this year's Pwn2Own.
Team Fluoroacetate left Vancouver with five laptops and the trophy, to put beside the one they received at Pwn2Own Tokyo conference in November 2018,safely stowed in the trunk of the Tesla Model 3.
or email your comment to: email@example.com
|Last Updated ( Friday, 29 March 2019 )|