Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Pwn2Own 2020: Researchers Again Invited to Hack Tesla

Trend Micro’s Zero Day Initiative (ZDI) on Thursday announced the targets and prizes for the 2020 Pwn2Own competition, which is set to take place on March 18-20 in Vancouver at the CanSecWest conference.

Trend Micro’s Zero Day Initiative (ZDI) on Thursday announced the targets and prizes for the 2020 Pwn2Own competition, which is set to take place on March 18-20 in Vancouver at the CanSecWest conference.

Pwn2Own 2019 introduced the automotive category and participants were invited to hack a Tesla Model 3. Amat Cama and Richard Zhu of team Fluoroacetate managed to hack the car’s web browser, which earned them $35,000 and a Model 3. They were the only team to target the vehicle at the competition.

Pwn2Own 2020 participants have also been invited to hack a Tesla Model 3, but ZDI has pointed out that earning a car will be more difficult compared to last year. On the other hand, the amount of cash researchers can earn if they demonstrate exploits against the Model 3 are also more significant.

There are three tiers in the automotive category this year. In Tier 1, hackers can earn $500,000 if they successfully demonstrate an exploit chain that uses the tuner, Wi-Fi, Bluetooth or modem as the initial attack vector and ultimately allows attackers to compromise gateway, security (VCSEC) or autopilot components. The attack must result in arbitrary code execution on three different subsystems. An additional bonus of $50,000 can be earned if the exploit also achieves root persistence, and an extra $100,000 if the payload can take control of the CAN bus.

The targets are the same in Tier 2, but it’s enough to achieve arbitrary code execution on two subsystems. Rewards in this tier range between $250,000 and $400,000, with the possibility of earning bonuses for persistence or CAN bus control.

Tier 3, in which the prize amount ranges between $35,000 and $200,000, requires an exploit that compromises only one subsystem of the car, and there is a wider range of targets.

Tesla Tier 3 targets for Pwn2Own 2020

“Entries against Modem or Tuner, Wi-Fi or Bluetooth, and Gateway, Autopilot, or VCSEC targets must achieve code execution by communicating with a rogue base station or other malicious entity. Entries against the Infotainment target must be launched from the target under test and must achieve code execution by browsing to malicious content,” ZDI explained.

The browser category at Pwn2Own 2020 includes Chrome, Edge (both Chromium- and EdgeHTML-based), Safari, and Firefox, with prizes ranging between $40,000 and $100,000.

Advertisement. Scroll to continue reading.

In the virtualization category, hackers can target Oracle VirtualBox, VMware Workstation and ESXi, and Microsoft Hyper-V. The most valuable exploits are for ESXi, $150,000, and Hyper-V, $250,000.

Participants can earn tens of thousands of dollars for hacking Adobe Reader and Office 365 ProPlus. Local privilege escalations on Ubuntu and Windows 10 are worth $30,000 and $40,000, respectively.

Finally, in the server-side category, Windows RDP exploits are worth up to $150,000.

ZDI says the prizes this year total $1 million. Last year, the organizers paid out a total of $545,000 for 19 vulnerabilities.

Related: Bug Hunters Hack Samsung Galaxy S10, Xiaomi Mi9 at Pwn2Own

Related: Bug Hunters Earn $195,000 for Hacking TVs, Routers, Phones at Pwn2Own

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...