Hacking team wins a second Tesla Model 3 and R6.5 million at Pwn2Own
Cybersecurity firm Synacktiv won $360,000 (R6.5 million) and a second Tesla Model 3 on day two of the 2023 Pwn2Own competition in Vancouver, Bleeping Computer reports.
Team members David Berard and Vincent Dehors earned the company $250,000 (R4.5 million) by hacking the Tesla Model 3 via a heap overflow, and an out-of-bounds write exploit chain.
They also took home the car itself as a reward, and the company earned a further $110,000 (R2 million) for successful Oracle VirtualBox and Ubuntu Desktop Exploits.
The team’s Thomas Imbert and Thomas Bouzerar exploited a three-bug chain to escalate privileges on a VirtualBox host.
Another team member, Tanguy Dubroca, showcased a zero-day to escalate privileges on Ubuntu Desktop.
Ten zero days were successfully exploited on the second day of the competition.
Other notable hacks included Team Viettel’s 2-bug chain exploit for Microsoft Teams and its successful exploitation of a use-after-free bug and an uninitialised variable on Oracle’s VirtualBox.
The team took home $118,000 (R2.1 million) on the day.
Synacktiv’s success on day two follows its significant winnings on the first day of the 2023 Pwn2Own competition.
On day one, the company earned $140,000 (R2.5 million) for successfully hacking a Tesla Model 3 and using a time-of-check-to-time-of-use (TOCTOU) zero-day vulnerability to elevate privileges on macOS.
Synacktiv’s team also used a TOCTOU attack against the Tesla and won the vehicle in addition to the prize money.