Hacking team exploits Tesla Model 3 zero-day — win R1.8 million and the car

Security researchers successfully showed off Windows 11, macOS, and Tesla Model 3 zero-day exploits on the first day of Pwn2Own in Vancouver, Bleeping Computer reports.

On day one, the winners took home $375,000 (R6.8 million) in prize money. Synacktive won a Tesla Model 3 after successfully exploiting a time-of-check-to-time-of-use (TOCTOU) attack against the electric car.

Pwn2Own is a computer hacking competition held at the CanSecWest security conference every year.

The first piece of software exploited at the 2023 competition was Adobe Reader.

Abdul Aziz Hariri from Haboob SA bypassed a banned API list on macOS by using an exploit chain targeting a 6-bug logic chain that took advantage of several failed Adobe Reader patches.

The achievement earned the cybersecurity firm $50,000 (R907,000).

The STAR Labs team took home $115,000 (R2 million) on day one — $100,000 for showing off a zero-day exploit chain that targets Microsoft’s SharePoint platform and $15,000 for exploiting a previously known Ubuntu vulnerability.

However, cybersecurity firm Synacktiv was the biggest winner on the day, taking home $140,000 (R2.5 million) and a Tesla Model 3.

The team successfully executed a TOCTOU attack against the Tesla and used a TOCTOU zero-day vulnerability to elevate privileges on macOS.

Other winners included Qrious Security’s Bien Pham, who took home $40,000 (R726,000) and Marcin Wiązowski, who won $30,000 (R544,000).

Day two will see competitors use zero-day exploits to hack Microsoft Teams, Oracle VirtualBox, Tesla’s Model 3 Infotainment Unconfined Root, and Ubuntu Desktop.

On the last day of the competition, they will attempt to hack Ubuntu Desktop again, Microsoft Teams, Windows 11, and VMware Workstation.

Prize money for the entire Pwn2Own competition totals $1,080,000 (R19.6 million). It runs from 22 to 24 March 2023.

Now read: Ferrari suffers ransomware attack

Latest news

Partner Content

Show comments


Share this article
Hacking team exploits Tesla Model 3 zero-day — win R1.8 million and the car