“Good hacking is a gift,” Elon Musk said in 2016. It can also be highly profitable. This past week, Amat Cama and Richard Zhu — who call themselves Team Flouroacetate — walked off with the top prize at the 2019 Pwn2Own hacking contest in Vancouver, Canada. They took home $375,000 in cash prizes and got to keep the Tesla Model 3 they hacked on the last day of the competition.
Cama and Zhu used a JIT (just in time) bug in the Model 3’s browser renderer process to execute code on the car’s firmware and show a message on its entertainment system, according to ZDNet. Per contest rules announced last fall, they now gets to keep the car and a $35,000 reward. The rest of the money they earned by successfully hacking other software, including Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10.
“In the coming days we will release a software update that addresses this research,” a Tesla spokesperson told ZDNet. “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”
This is the second Pwn2Own hacking contest Team Fluoroacetate has won. It also ranked first and received the “Master of Pwn” trophy at the Pwn2Own Tokyo conference in November 2018.
According to Wikipedia, “Pwn2Own is a computer hacking contest held annually at the CanSecWest security conference, beginning in 2007. Contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive the device that they exploited, a cash prize, and a ‘Masters’ jacket celebrating the year of their win.”
Organized by Trend Micro’s Zero Day Initiative team, it is considered the top hacking contest for white hat researchers in the information security field. Over the past few years, many of the companies which have had their apps hacked at Pwn2Own are now sponsoring the contest and have engineers onsite to receive the vulnerability reports from the researchers themselves, sometimes delivering patches within hours. Any successful hacks are transmitted immediately to the affected companies.
For more on how Team Flouroacetate hacked that gorgeous red Model 3, check out this video.