High-speed scenes from a car-hacking competition

There was money to be made last month, if you knew how to hack a car and get it to play Doom.

Researchers from around the world met in Tokyo from January 24–26 to find ways to compromise Tesla modems, EV chargers, and the Alpine Halo9 iLX-F509 touchscreen, which the NCC Group used for playing the 1993 video game.

How the “Pwn2Own Automotive” event works: Teams have months to prepare for the chosen targeted vehicle and its components. In this case, Pwn2Own selected a Tesla Model 3/Y and Tesla Model S/X, and many of its features, like tuners, modems, Bluetooth, and infotainment systems. Other selected targets included EV charger and operating systems.

Each team eventually gets three 10-minute attempts to demonstrate a successful pwn, what the rules define as a demonstration of “arbitrary code execution” on the device. Ya know, like Doom.

“They were all sitting around, trying to play Doom on this thing. It was so funny,” Dustin C. Childs, head of threat awareness at Trend Micro Zero Day Initiative, told IT Brew. Trend Micro, largely responsible for the payouts, also partnered with Tesla for the event.

This year’s demo showcase featured over 45 entries, 49 unique zero-day bugs, plenty of crowd noise, and even a buzzer beater.

In a room of about 150 people, according to Childs, one entrant established a connection with the EV charger with about ten seconds left.

“The crowd erupted!” Childs said.

In the end, hackers drove home—netting bug bounty prizes that totaled $1,323,750.

Childs spoke to IT Brew from Japan about the event’s most exciting moments, and how to make sure vendors get fixes before time runs out.

The responses below were edited for length and clarity.

What was a memorable hack from the week?

On day one, the Synacktiv team, a team from France, hacked a Tesla modem. We actually had to set up an RF enclosure, which is like a Faraday cage, because they essentially exploited the [baseband] cellphone network to talk to the Tesla modem. The Tesla’s gonna ping out every now and then, looking for that baseband signal, so it can get updates, give GPS, and do all these other things. They were able to intercept that signal in response to it and compromise the modem. And then the next day, they showed how they could use that exploit to move into the infotainment system.

The infotainment system?

The infotainment system is, of course, sandboxed, but they were able to escape that sandbox. They didn’t take it any further through this context. But potentially, they could have gone into ECUs (electronic control units) or into other systems that were potentially controlling other parts of the vehicle, even potentially, up to the autopilot. That’s really, really, really hard to do, of course. They didn’t do that, but the potential was there to do that.

What happens next with something like that—to communicate with Tesla to start making a fix?

The awesome thing about working with Tesla is Tesla was here. So, [the team] demonstrated it, we took them into a private room, and they explained it to us. We brought Tesla in and they explained it to them. Tesla’s already working on it…they’ll have a fix out, probably within three or four weeks.

Is the feeling complicated: the excitement combined with the reality that these cars can be hacked?

Yeah, there is that feeling that today’s cars can be hacked, and that is worrying. But from our perspective, we’d rather be on the side of finding the bugs and working with the vendors to get them fixed, rather than just knowing, “Yeah, today’s cars can be hacked” and not even know how bad.