Hackers win Tesla Model 3 at security competition with $530,000 exploit
%2Favatars%2FFbiapfPKTgv1.jpg&w=96&q=75)
%2F2023%2F03%2F30%2Fimage%2Fjpeg%2F3oJULPAjSjNJsbuEy62xlCmUKnRd9zxF7BvsGmG0.jpg&w=3840&q=75)
According to security researchers, malevolent hackers could remotely hack into a Tesla and switch off the lights, honk the horn, open the trunk, turn on the windshield wipers, and tamper with the infotainment system thanks to three vulnerabilities linked together.
During Pwn2Own Vancouver, a security competition where "white hat" hackers and security researchers can win the devices with previously discovered vulnerabilities (that they uncover and exploit)—plus a cash prize—researchers from the French security firm Synacktiv won $530,000 and a Tesla Model 3.
Despite these flaws, the researchers noted that Tesla is doing an excellent job of making the car difficult to hack by putting in place a sophisticated system of sandboxes, which isolates components and makes it more difficult to gain greater privileges by simply breaking into one of them.
TOCTOU attack
The Synacktiv team demonstrated two different exploits. At first, it took them less than two minutes to compromise the Model 3's Gateway system, which serves as the energy management interface for communication between Tesla vehicles and Tesla Powerwalls.
They inserted the required malicious code using a Time of Check to Time of Use (TOCTOU) attack, a strategy that takes advantage of the brief interval between when a computer examines something like a security credential and when it really uses it.
They weren't hacking a genuine Model 3 for safety concerns, but they would have been able to open the front hood and doors of the vehicle even while it was moving.
The second vulnerability allowed the hackers to remotely take control of the infotainment system of the mimic Tesla and, from there, other car systems. They gained access using the Bluetooth chipset's heap overflow vulnerability and an out-of-bounds write mistake, the latter of which allowed them control of the security gateway. This device delivers commands to the vehicle.
According to the researchers, the remedies for these vulnerabilities are being developed by Tesla and should soon be installed on cars.
SHOW COMMENT (1)
/2023/05/23/image/jpeg/WGiDzBgkMEB3MWU2C2FQaPjsdhaIUwtYZUSBvBiE.jpg "Triangles over circles? YouTuber builds funky cycle with special wheels")
/2023/05/26/image/webp/6Co80ZJJXboUOYLXIuCvkafLsBWpH8MROKX60PUF.webp "Hyper-luxury Bugatti tower will have its residents drive up to their floor")
/2023/05/28/image/jpeg/X1sB2puBpxN1VWCWMDkaa7Uwd2FUAdOP6AxTp8T8.jpg "NGAD: The chosen one - US Air Force commits to sole 6th-generation fighter")
/2023/05/26/image/jpeg/1JXrkwK7efWVsmu4aRFf4fdD1Ptufo7ZAU7UMPLd.jpg "US Carrier Strike Group can be countered with 24 hypersonic missiles, China claim")
/2022/11/08/image/jpeg/aK55OAMMRf05pKSsbgqUVLIvlctLAXZyMqXucOH3.jpg "Why the ESA's world-first Biomass satellite is 'very timely' for understanding Earth's climate")
/2022/11/04/image/png/lhKs99DYXw2An3hAoe3fx7PHg2NXcURKZwXwKRmk.png "Olkaria VI, Kenya: Inside the world's largest single-turbine geothermal plant")
/img/iea/V0OyjqJ5GQ/untitled-1-6.jpg "This flood protection barrier reaches new heights")
/2022/08/04/image/jpeg/kenkoRft51DPpfvdF4uDjrFaXLkR2uzHQZP8M9VJ.jpg "Here's what complex primate societies can teach us about sex and gender")
/2022/10/12/image/jpeg/axTMOIazSZcZ4CbOYhC1h2qWly0KlnazrpRUzMIw.jpg "Can AI rescue lab rats and guinea pigs? How new technologies could solve a major ethical issue")
/2023/05/25/image/jpeg/xbqtdlTTlQ6wFUubr9etkXJZVi8dBYvahuUEjCzI.jpg "This architecture firm is introducing inflatable skyscrapers")