Tesla is handing over its new Model 3 sedan to Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest.
The prize for the winning security researcher: a Model 3.
Pwn2Own, which is in its 12th year and run by Trend Micro’s Zero Day Initiative, is known as one of the industry’s toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program.
Pwn2Own’s spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla. Pwn2Own is run in conjunction with the CanSec West conference.
Tesla has had a public relationship with the hacker community since 2014 when the company launched its first bug bounty program. And it’s grown and evolved ever since.
Last year, the company increased the maximum reward payment from $10,000 to $15,000 and added its energy products as well. Today, Tesla’s vehicles and all directly hosted servers, services and applications are now in scope in its bounty program.
The company also made an important overhaul last year to its bug bounty program to support “safe harbor” by allowing car owners to hack their own cars as long as they stick to the rules. Tesla’s product security policy now says that if, through “good-faith security research,” you brick your car, the company will reflash the software over-the-air or at a service center. The company says it won’t void the warranty on their car if they hack its software either.
There’s a reason why Tesla (and now other automakers) have launched bug bounty programs. Tesla vehicles are software-centric and in many ways changed the industry by enabling over the air software updates that can fix glitches and security problems as well as improve performance and add other new features. It’s what has allowed Tesla to win over consumers with the idea that their vehicle will get better over time.
But with that comes possible security issues. Since 2014, the program has led Tesla to release a number of security improvements, including cryptographic validation of its software, more robust cryptography for its key fobs and the launch of PIN-to-Drive, which aims to prevent against relay attacks on key-fob cloning.
Of course, there’s no guarantee that hackers at Pwn2Own Vancouver will find any vulnerabilities. TechCrunch was told by a Trend Micro spokesperson that the percentage of successful attempts varies, but it’s usually around 50 percent of available targets.
It’s also unclear if researchers will enter the automotive category since it’s new this year, the spokesperson said, adding that she hopes people enter “as we would love to see what the state of the art in automotive research really is.”