Tesla Gives Hackers $200,000, Model 3, for Demonstrating Security Flaw

Published on 22 Mar, 2024, 6:42 AM IST

Updated on 16 May, 2024, 6:31 AM IST

Jamshed Avari

3 min read

Top stories and News

Tesla supports security contests and runs its own bug bounty programme. (Image credit: Tesla)

A team of security researchers called Synacktiv has won $200,000 (approximately Rs. 1,66,16,200) and a brand new Tesla Model 3 for identifying a chain of exploits that could be used by malicious attackers to compromise a Tesla’s CAN (control area network) bus and ECU (electronic control unit). The flaw demonstrated by Synacktiv could theoretically allow an attacker to affect a vehicle’s engine and transmission control, battery management, powertrain, suspension, door and seat controls, telematics, and other critical parameters.

The demonstration took place at the biannual Pwn2Own hacking contest in Vancouver, Canada. The contest is backed by Trend Micro’s Zero Day Initiative, which encourages the discovery and ethical disclosure of security vulnerabilities. Tesla supports such hacking competitions with large prizes, and runs its own bug bounty programme to reward researchers for discovering exploits.

Synacktiv, which is based in France and describes itself as an “offensive security company”, won $100,000 (approximately Rs. 83,08,100) from Tesla in January this year at another Pwn2Own event in Tokyo, Japan for discovering a chain of exploits in Tesla’s infotainment system and a flaw in its modems. In March 2023, it won another Tesla Model 3 and $100,000 for successfully manipulating the Tesla Energy Gateway, which communicates with a Tesla Powerwall home energy storage system and manages how and when to charge a vehicle.

Confirmed!!! The @Synacktiv team used a single integer overflow to exploit the #Tesla ECU with Vehicle (VEH) CAN BUS Control. The win $200,000, 20 Master of Pwn points, and a new Tesla Model 3 (their second!). Awesome work as always. #Pwn2Own #P2OVancouver pic.twitter.com/FcB4fTiOa7
— Zero Day Initiative (@thezdi) March 20, 2024

Tesla’s engagements with white-hat hackers and security researchers show how important cybersecurity is to the company and to the connected vehicle industry at large. Connected cars, particularly entire fleets of them, are tempting targets for malicious attackers, as they could be an easy way to target individuals or cause significant disruption on a large scale.

However, the carmaker was also in the news recently for dismissing a potential threat discovered by researchers at Mysk, who managed to clone a Tesla’s digital key in a controlled demonstration using a fake Wi-Fi hotspot and capturing a user’s Tesla account credentials.