The electric automaker is working to release
a fix for the underlying vulnerability in a matter of days
A duo of white-hat hackers have earned
themselves a brand new Tesla Model 3 after exposing a vulnerability in the
car’s integrated browser.
Richard Zhu and Amat Cam, aka team
‘Fluoroacetate’, managed to break into the electric sedan via its infotainment
system at the Pwn2Own hacking contest in Vancouver, Canada, last Friday. They
exploited a JIT (or ‘just-in-time’) bug in the browser renderer process to
display a message on the infotainment system.
In addition to walking away with the car, Zhu
and Cam received US$35,000 for discovering the bug, reads a Zero Day Initiative report. It’s worth noting that the flaw
didn’t enable the ethical hackers to take control of the vehicle itself.
We reported in January that Tesla had decided to put up one
of its models as a target at the event that took place between March 20-22.
The duo had a pretty good few days at the
event, having scooped $375,000 in prize money in total, including for
finding flaws in Apple Safari, Microsoft Edge, VMware Workstation, Oracle
Virtualbox, and Windows 10.
In its statement after Zhu and Cam’s find,
the electric automaker said that a fix for the vulnerability (classified as CVE-2019-9977)
was on its way.
“In the coming days we will release a
software update that addresses this research,” reads a statement from Tesla on ZDNet last Friday. “We understand
that this demonstration took an extraordinary amount of effort and skill, and
we thank these researchers for their work to help us continue to ensure our
cars are the most secure on the road today.”
Tesla launched its own bug bounty program in 2014 and has since
given away hundreds of thousands of US dollars in rewards for
reporting vulnerabilities in its vehicle systems. According to Teslarati, last year saw the company extend
the program to its energy products.