Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday January 13 2020, @01:08AM   Printer-friendly
from the pwn2own dept.

Hack a Tesla, get a Model 3 and nearly $1 million - Roadshow:

Alright, hacker guy or gal, this is your time to shine. If you're not familiar with the Zero Day Intiative (ZDI), it's calling all friendly hackers extraordinaire once again for a good cause. This time, if if[sic] anyone manages to hack a Tesla, they'll get nearly $1 million and a shiny-new Model 3.

ZDI confirmed on Thursday that Tesla will once again be the big-name sponsor for its automotive category. Increasingly, automakers turn to friendly hackers to exploit their systems to keep our machines safe. Thus, ZDI has issued a new challenge for this year's "Pwn2Own" contest.

If an individual is able to completely compromise a Tesla Model 3, they get the car as part of Tier 1 prizes. Not only will they go home with a new Model 3, but they'll immediately earn a cash prize of $500,000 from ZDI. Yet, the most skilled have a chance for even more cash. If a contestant ticks off a few hacks in extra categories, they'll earn up to $200,000 more on top of the car and $500,000. These areas are "infotainment root persistence," "autopilot root persistence" and "arbitrary control of the CAN Bus." Each area has its own prize amount, but all hack all three, and it totals up to $200,000.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0) by Anonymous Coward on Monday January 13 2020, @02:13AM (4 children)

    by Anonymous Coward on Monday January 13 2020, @02:13AM (#942613)

    They've already got backdoors in the chips, so it should be easy for the Chinamen to win.

    • (Score: 0) by Anonymous Coward on Monday January 13 2020, @02:26AM (1 child)

      by Anonymous Coward on Monday January 13 2020, @02:26AM (#942616)

      I was thinking an axe to hack a Teslalala.

      • (Score: 2) by hendrikboom on Monday January 13 2020, @10:42PM

        by hendrikboom (1125) Subscriber Badge on Monday January 13 2020, @10:42PM (#942890) Homepage Journal

        The contest is to achieve full control of the Tesla; i.e., make it capable, not incapable, of doing anything you ask.

    • (Score: 1, Funny) by Anonymous Coward on Monday January 13 2020, @02:58AM (1 child)

      by Anonymous Coward on Monday January 13 2020, @02:58AM (#942621)

      The chinaman is not the issue here!

      • (Score: 2) by TheGratefulNet on Monday January 13 2020, @03:11AM

        by TheGratefulNet (659) on Monday January 13 2020, @03:11AM (#942625)

        "asian american, please."

        --
        "It is now safe to switch off your computer."
  • (Score: 4, Insightful) by ikanreed on Monday January 13 2020, @02:43AM (4 children)

    by ikanreed (3164) Subscriber Badge on Monday January 13 2020, @02:43AM (#942619) Journal

    Why would I want two lithium ion bombs.

    • (Score: 2) by Kymation on Monday January 13 2020, @03:40AM (1 child)

      by Kymation (1047) Subscriber Badge on Monday January 13 2020, @03:40AM (#942634)

      You can never have too many lithium ion bombs.

      • (Score: 0) by Anonymous Coward on Monday January 13 2020, @03:33PM

        by Anonymous Coward on Monday January 13 2020, @03:33PM (#942753)

        They don't mix well with water. Got a swimming pool you need emptied fast?

    • (Score: 2) by epitaxial on Monday January 13 2020, @09:24PM (1 child)

      by epitaxial (3165) on Monday January 13 2020, @09:24PM (#942865)

      Lol are you forgetting that gasoline is also highly flammable? Plenty of regular cars burn up, over 171,000 between 2014 and 2016. https://www.usfa.fema.gov/downloads/pdf/statistics/v19i2.pdf [fema.gov]

      • (Score: 2) by ikanreed on Monday January 13 2020, @10:14PM

        by ikanreed (3164) Subscriber Badge on Monday January 13 2020, @10:14PM (#942880) Journal

        I actually do think electric cars are better in general than traditional ICE cars. I've a particular dislike for Musk, and a particular distrust of cars coming out of factories that have been purported by whistleblowers to be using damaged Li+ cells in vehicle construction.

  • (Score: 0) by Anonymous Coward on Monday January 13 2020, @03:31AM (1 child)

    by Anonymous Coward on Monday January 13 2020, @03:31AM (#942630)

    Did I read this wrong or are they calling $700k "nearly 1 million?" ???

    • (Score: 2) by arslan on Monday January 13 2020, @03:49AM

      by arslan (3462) on Monday January 13 2020, @03:49AM (#942638)

      $700k plus a mode model 3 - still doesn't add up to $1 mil.

      The page looks like it was authored by an AI auto-translate. It repeated the $200k statement twice and a separate robo title generator probably counted it twice from the article content and mis-summarized it.

      CNET must be trialing their uber expensive robo-AI-ML-blockchain-powered article drone; the one that they built in awesome partnership with IBM, redhat, oracle, deloitte, kpmg, EY, microsoft and amazon with special outsourcing arrangement to wipro, accentrue, infosys, hcl.

  • (Score: 3, Insightful) by bzipitidoo on Monday January 13 2020, @06:29AM (6 children)

    by bzipitidoo (4388) on Monday January 13 2020, @06:29AM (#942660) Journal

    They must have considerable confidence that their cars are near impossible to hack. Probably haven't budgeted for more than a 3 to 5 prizes. Heck, maybe they fully expect to give out no prizes.

    With such low odds of success, plus the difficulties in obtaining a Tesla, why even try? This isn't some $100 hobbyist board, it's a $40k car. Maybe there is a way to hack a Tesla, and I can find it, horribly rusty though I am at finding exploits. But I'm not going to try. I also know that unlike DRM, this kind of stuff can be secured. It doesn't even take a whole lot of effort. Like, don't use weak or compromised cryptography such as SHA1.

    • (Score: 2) by ledow on Monday January 13 2020, @10:22AM (2 children)

      by ledow (5567) on Monday January 13 2020, @10:22AM (#942686) Homepage

      If you want people to hack on it, provide access to one for free.

      Literally put a CANbus adaptor and a wireless network that the machine is joined to, live, on the Internet, open to everyone.

      Then see how far your prize funds go...

      Why would you buy a $40k car, to break it, only to win another (broken) $40k car, especially if you know they are easily broken and disagree with the product being in the state you perceive it to be?

      • (Score: 2) by PiMuNu on Monday January 13 2020, @10:55AM (1 child)

        by PiMuNu (3823) on Monday January 13 2020, @10:55AM (#942689)

        > Why would you buy a $40k car, to break it,

        $700k?

        • (Score: 2) by ledow on Monday January 13 2020, @09:41PM

          by ledow (5567) on Monday January 13 2020, @09:41PM (#942871) Homepage

          I can send you $700k... all you have to do is spend $40k... and hope like hell that you win.

          You wouldn't enter it for a pyramid scheme, let alone a damn security vulnerability contest requiring extreme skill.

    • (Score: 0) by Anonymous Coward on Monday January 13 2020, @03:47PM (2 children)

      by Anonymous Coward on Monday January 13 2020, @03:47PM (#942761)

      Or a marketing ploy.

      People I know who bought a Tesla reported that on a highway trip all the (visual) electronics shut off and took something like 5 minutes to reboot. While travelling at speed.

      I'll take a less cool car that was designed by automotive engineers instead.

      • (Score: 2) by TheGratefulNet on Monday January 13 2020, @11:35PM (1 child)

        by TheGratefulNet (659) on Monday January 13 2020, @11:35PM (#942905)

        I own a model 3. it does happen ('black screen') lcd system crashes.

        it does not affect the car and driving; but any display based things or things that need display input (press) won't work until that system reboots.

        no safety issues other than what you may miss from the center screen.

        its unsettling, but I can't think of much that you -need- while driving forward on a highway, other than steering, braking, visibility. none of those are affected. the system reboots in under 20 seconds (I have not timed it, but its not hella long).

        other vendors have this issue. I can't say who, but they are out there and lots of people know it. nvidia and TI have some fault in this, too.

        --
        "It is now safe to switch off your computer."
        • (Score: 0) by Anonymous Coward on Tuesday January 14 2020, @05:32AM

          by Anonymous Coward on Tuesday January 14 2020, @05:32AM (#943006)

          no safety issues other than what you may miss from the center screen.

          Like speed, fuel and warning lights. Jeez, in planes they put in base level instruments if the glass cockpit goes to lunch.

          Who the fuck needs nvidia and their code in a car?

  • (Score: 2) by maxwell demon on Monday January 13 2020, @09:02AM

    by maxwell demon (1608) on Monday January 13 2020, @09:02AM (#942674) Journal

    I just wanted to comment that I'll immediately fetch an axe, until I read the following (emphasis by me):

    If an individual is able to completely compromise a Tesla Model 3, they get the car as part of Tier 1 prizes.

    --
    The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 2) by PiMuNu on Monday January 13 2020, @11:15AM (2 children)

    by PiMuNu (3823) on Monday January 13 2020, @11:15AM (#942691)

    I don't know why there is so much sniping - $700k seems like an excellent payout, well above competitors (see story about $15k payout from paypal, which seems paltry compared to the potential profit that an exploit could yield...)

    • (Score: 0) by Anonymous Coward on Monday January 13 2020, @08:06PM

      by Anonymous Coward on Monday January 13 2020, @08:06PM (#942848)

      pissy nerds gonna piss.

    • (Score: 0) by Anonymous Coward on Tuesday January 14 2020, @12:24AM

      by Anonymous Coward on Tuesday January 14 2020, @12:24AM (#942916)

      Too many people are jealous of Musk, or got mad because he said something they didn't like or because he's "unprofessional", so they hate everything he does.

  • (Score: 2) by Unixnut on Monday January 13 2020, @03:38PM (2 children)

    by Unixnut (5779) on Monday January 13 2020, @03:38PM (#942757)

    Quite frankly, if your car is computerised to the point where you need to run hackathons to check for vulnerabilities, then you have already lost. It means the car is computerised to the point where not even the devs can be sure it works as intended. This poor engineering practice is rampant in the software world. The hope was with time software development would mature and become like the other engineering disciplines, yet it seems to be going the other way... Cars (and some airplanes) are becoming so heavily controlled by software that bugs and vulnerabilities can be catastrophic,.

    Even if nobody manages to hack it now, that doesn't mean (a) that someone won't manage to do it later, and (b) they may find that the vulnerability is worth a hell of a lot more than $700,000, especially if it allows total control of the car. The potential alone for assassination via "accidents" alone means this vulnerability could be worth a good chunk of change to the right people.

    • (Score: 2) by TheGratefulNet on Monday January 13 2020, @11:41PM

      by TheGratefulNet (659) on Monday January 13 2020, @11:41PM (#942908)

      you don't know what you're talking about.

      ob disc: I work in the industry (not tesla, but a competitor).

      there is actually less and less linux in cars and more and more qnx. you won't likely hack qnx (I say this as a linux admin since the 1.1 kernel days).

      ASIL-D systems are very safe and designed that way.

      modern software is not even written directly as c code anymore; its 'model based' and those gui tools are like authoring tools that create 'correct' c code from a safety pov.

      this has been going on for a while.

      I prefer hand coded code, but this 'model stuff' is the future and it does ensure safety levels, by design. its a Good Thing(tm) even though it takes the software person mostly out of the loop. (or, maybe that's part of the reason its so good).

      tesla does not use qnx for all their systems (maybe not at all, I don't know). I don't think they use android (so that's a big plus). they do use a lot of linux and linux cannot be secured as well as a static no-fork no-malloc true RTOS. so there are likely holes in their system.

      they also don't encrypt much, and I don't think they encrypt ethernet or switches or storage at-rest. lots of open holes.

      btw, you can rent teslas. don't have to own one to get access to one, if you really need to ;)

      --
      "It is now safe to switch off your computer."
    • (Score: 2) by hendrikboom on Tuesday January 14 2020, @03:37AM

      by hendrikboom (1125) Subscriber Badge on Tuesday January 14 2020, @03:37AM (#942976) Homepage Journal

      Maybe they're running hackathons not to check for vulnerabilities, but to show off.
      And maybe they'll have egg on their face afterward.

      -- hendrik

(1)