Tesla Gives Hackers $200,000, Model 3, for Demonstrating Security Flaw

A team of security researchers called Synacktiv has won $200,000 (approximately Rs. 1,66,16,200) and a brand new Tesla Model 3 for identifying a chain of exploits that could be used by malicious attackers to compromise a Tesla’s CAN (control area network) bus and ECU (electronic control unit). The flaw demonstrated by Synacktiv could theoretically allow an attacker to affect a vehicle’s engine and transmission control, battery management, powertrain, suspension, door and seat controls, telematics, and other critical parameters. 

The demonstration took place at the biannual Pwn2Own hacking contest in Vancouver, Canada. The contest is backed by Trend Micro’s Zero Day Initiative, which encourages the discovery and ethical disclosure of security vulnerabilities. Tesla supports such hacking competitions with large prizes, and runs its own bug bounty programme to reward researchers for discovering exploits.

Synacktiv, which is based in France and describes itself as an “offensive security company”, won $100,000 (approximately Rs. 83,08,100) from Tesla in January this year at another Pwn2Own event in Tokyo, Japan for discovering a chain of exploits in Tesla’s infotainment system and a flaw in its modems. In March 2023, it won another Tesla Model 3 and $100,000 for successfully manipulating the Tesla Energy Gateway, which communicates with a Tesla Powerwall home energy storage system and manages how and when to charge a vehicle.

Tesla’s engagements with white-hat hackers and security researchers show how important cybersecurity is to the company and to the connected vehicle industry at large. Connected cars, particularly entire fleets of them, are tempting targets for malicious attackers, as they could be an easy way to target individuals or cause significant disruption on a large scale.

However, the carmaker was also in the news recently for dismissing a potential threat discovered by researchers at Mysk, who managed to clone a Tesla’s digital key in a controlled demonstration using a fake Wi-Fi hotspot and capturing a user’s Tesla account credentials.