Hackers Get Free Tesla and $350k Using Infotainment Screen Hack

Did you know that there were hacking competitions? Well, there are, and they pay out in killer prizes. A group of “ethical hackers” competed in the Pwn2Own 2023 hacking conference, where if you can hack a Tesla Model 3, you can have it plus a giant pile of cash. This year, the winners managed to hack the Tesla using a slick method of utilizing the infotainment screen

A Tesla Model 3's 15-inch center stack screen.
A 15-inch Tesla screen | Tesla

Can you hack a Tesla Model 3? 

While Tesla has worked hard to keep hackers out of its cars’ computers, it hasn’t worked. Not only did the hacker team, which collectively goes by the team name Synacktiv, get into the Tesla’s infotainment unit, but they also did it with time to spare during the ten-minute speed challenge. They got access to the car’s critical systems, effectually compromising the car completely. Granted, this team of hackers is no bush-league squad. The team is made up of security research professionals. 

What were the rules of the contest?

The Drive points out that the contest gives each hacker team an already removed Tesla infotainment unit. The screen was removed for safety. The fear is that if the hackers make a mistake, the car could react to the tech meddling. However, make no bones about it; this is a Screen pulled straight out of a Tesla Model 3. 

“Of course, we would like to do this on a car itself, but there are just too many variables that would make it potentially dangerous for those around the vehicle, including the building vehicles parked by, so we do not want to take that chance,” said Dustin Childs, head of threat awareness at the Zero Day Initiative. “We prefer a nice controlled environment.”

The rules are each team got 10 minutes to crack the Tesla. If the screen were still installed in the car it may have taken longer. But things being what they were, the winners popped the Tesla computer in only two minutes. 

How do you hack a Tesla? 

Naturally, the team wouldn’t spill the beans on how they cracked it, but The Drive writes, “it was made public that Synacktiv’s attack chain made use of a time-of-check to time-of-use (TOCTOU) attack, which is effectively an attack that “races” to exploit the system’s desired actions.” 

The example detailed by The Drive is that the Tesla system may check to see if a certain file exists, and in the time it takes to check the file and launch it, the file was replaced with one that permits the exploit to be launched.

Not only did Synacktive win the Tesla Model 3 they hacked and $100,000 in cash. However, Zero Day Initiative says the attack was so intricate that it earned the team the first-ever “tier 2” award.  This banked the team an additional $250,000, plus some other smaller payouts as well. All in all, Synacktive won a total of $530,000 plus the Model 3. Not bad for 2 mins of work. 

Does Tesla allow this hacking?

While it can come off a bit scary how easily the folks can crack such complicated code, it actually serves as a boon to cybersecurity. By offering incentives like this to security researchers, it keeps all the information in-house as opposed to people developing these kinds of attacks in secret for illegal purposes. 

To be clear, Tesla does not fund such research and competitions. However, the EV company does offer a bounty program that offers $15,000 to report bugs discovered in Tesla software.