Skip Navigation

Technology @lemmy.world

Zen @biglemmowski.win

1y ago

Hackers Crack Tesla Twice, Rake in $1.3 Million at Pwn2Own Automotive

www.hackread.com /hackers-crack-tesla-twice-pwn2own-automotive/

44 comments

discovering 49 zero-day bugs in EV systems
Holy shit that's a lot of zero days homies
- More holes than Emmental cheese lol
  
  Holier than the Vatican
  
  Surely, that’s the intention behind the Swiss cheese model?
  
  Btw did you know Swiss cheese has copy protection? I know the thought is pretty random, but I thought I'd share anyway.
  https://www.chimia.ch/chimia/article/view/2016_349/1089

90 days till release of Zero-Days 😉 don’t update your tesla 😂 so you can gain root and really own that car
- Just flash a custom os 😂
  
  brb flashing TempleOS to let god be my driver /s
  
  I hope it gets called something like edOSon and is filled with subtle insults to its namesake.
  
  Hannah Montana OS for the Tesla!
  What a time to be alive!

Scribbles
Another reason not to buy proprietary garbage. Where are the Open Source EVs at?
- Open-source EVs are a bit like Gentoo, you have to build it yourself.
  
  There actually are a lot of really cool EV conversion builds on YouTube using fairly open parts. So I'd say this is perfectly accurate.

Wait so was the hacking live?
- Yes, pwn2own is a live competition

Wow. Imagine paying $1.4mil to find 49 zero days instead of hiring an actual security team.
The people who did this are fucking idiots.
- bro that's fucking cheap.
- $1.4 million vs the ability to steal as many Teslas as you want?
  I'll take the money...

Anti-libre software licenses can never defend us from Tesla.

Do they directly show(sell maybe) the exploits to the companies?
- White hats can be prosecuted via the CFAA. they usually aren't (most of us are guilty of CFAA penalties) but some companies got sour to fixing their web security and instead would sue and push to prosecute.
  So in the early 2010s the white hat community went gray to survive. And companies that don't pay their bounties oe cause trouble don't get pen tested by white hats (at least not when wearing a white hat).
  
  How do you know if a company is going to pay to fix?
  Do you just have to take a chance and notify them?
  Either I make a bunch of money, or they say fuck off, or they send me to jail? It seems too iffy
  
  Thank you! I appreciate the insight.
- Thats what white hats would do and what these contests are usually for
  But its more like a bughunt with an open Bounty then selling afaik

So, all these exploits seemingly still require physical access to the car/product electronics? If so, that seems to make it somewhat less of an issue (but still an issue of course) than if they could gain e.g. root access without physical access to the car or even proximity at all.
- I'm not that worried about my laptop in regards to physical access because I don't usually leave it in public unattended for long.
  My car? Sometimes that thing sits in a parking spot or paid garage for weeks when traveling. I also leave it unattended in public most times I go brick and mortar shopping.
  
  Someone still needs to physically break in to the car, which will usually trigger alarms and attention. Like I said, it is still cause for concern, but moderate concern IMO. I would be a hell of a lot more worried if it was possible from anywhere in the world to take over my car remotely. The need for physical direct access to electronics inside the vehicle makes it less vulnerable.
  Are you worried about leaving your laptop in your house/apartment? Because anyone could also just break in there and have physical access to your stuff, arguably with even more privacy during the act than with a car parked out in public plain view.
- People said this about the Jeep vulnerabilities until they found a way to exploit them remotely.
  Where there's smoke, there's fire.

Hell yeah brother.

- That's some sociopath shit right there. But tbh white hat is better -- the people that did this are guaranteed steady paychecks for the rest of their lives, with a lot lower stress than getting one big payday and having to look over your shoulder your whole life
- Hack a 1%s car
  A Tesla costs about the same as a Ford F-150 pickup. You want all those F150 drivers killed too?
  
  I’d love to hack into all F-150s and remap the maximum throttle opening to maybe 1/2. Also set speed limits to 70 maybe. Or add GPS based limits to keep the fuckers from basically drag racing down my narrow sidewalk less street.
  Actually doing Rams is probably best, and remapping diesels to prevent coal rolling would be high on the list too.

44 comments