A group of hackers has walked away with a Tesla Model 3 and $100,000 in cash — but it’s not what you might be thinking. The Model 3 EV was breached as part of a hacking competition, with the car and money both being won fair, square, and above board.
The Pwn2Own contest is held annually at Vancouver’s CanSecWest security conference and is said to attract the best hackers and security researchers in the world. Each team that takes part in the hacking event is given a list of devices and software. Each successful breach nets them a cash prize, and in the Tesla’s case, the quickest team won the car (although what is pictured is a Model S, not a Model 3).
The security conference’s choice of a Tesla is poignant as modern automobiles become more reliant on being connected. With that comes vulnerabilities, as exploited by the winning team known as Synacktiv.
Related: Hacker Breaks Into And Starts Tesla Using Bluetooth, Other Automakers Are Just As Susceptible
Of course, in order to protect Tesla owners, the exact details of how the team hacked the car were not revealed — yet. Pwn2OWN 2023 claims they will share details of how software was compromised with the respective developers before giving them 90 days to release security patches. After that, the organization will make their findings public.
For now, what we know is that the exploit was a relatively simple TOCTOU (Time-Of-Check Time-Of-Use) hack. In layman’s terms, such an attack involves altering internal files — such as login credentials — to gain unauthorized access to the vehicle’s systems. To do so, the breach exploits the time discrepancy between the system checking the files and a person actually being logged in.
A later tweet by Synacktiv showed how the team successfully compromised the Tesla Model 3 infotainment via Bluetooth. Combined with what was demonstrated at the show, the hackers claim that it could be the full chain to take over the car.