
Pwn2Own Vancouver 2019: Tesla, VMWare, Microsoft, and more - Down_n_Out
https://www.thezdi.com/blog/2019/1/14/pwn2own-vancouver-2019-tesla-vmware-microsoft-and-more
======
InTheArena
As a Tesla owner, I think this is great, because as an Engineer, I fully
expect that Tesla was get owned (literally) here. I have no problem with that
- I want people trying to break the security, and I want Tesla to pay them,
and to improve it.

The reality is that a Tesla is mostly really good software, really good
engine, and really good battery, surrounded by a reasonable (but not
excellent) rest of the car. That's more then worth it to me, and the Tesla
Stretch is real, because the car is incredibly compelling. I would argue that
the value is just as much a outcome of the software, and it needs to be
hardened.

~~~
thejrk_
Just a nitpick but engine would mean internal combustion.

~~~
blackoil
ain't engine just something that converts energy to motion? We have jet/rocket
engine which aren't internal combustion.

~~~
mulmen
Jets and rockets are also internal combustion engines. An example of external
combustion is a steam engine.

------
danpalmer
From what I've read about Tesla's software this could be a _bold move_.

Between the infotainment system, onboard Linux computer, autopilot, self-
driving hardware, OTA updates, mobile apps, and the amount they phone home,
Tesla are probably doing some of the most advanced computing in any consumer
car (some deconstructions have suggested they are miles ahead here, pardon the
pun).

This is great, but it all comes with additional surface area for attacks, and
software engineers have spoken out about the fast paced shipping that happens
at Tesla and the corners that are cut as a result.

~~~
Shivetya
<rant/ramble on>

OTA is great but my experience with my TM3 is clouded by one issue, I want
blue tooth audio support to be enhanced so I do not have to use my phone to
select tracks, playlists, artists, and such. Instead what was the big update
of near the holiday season, fart humor, holiday fireplace like a screen saver,
and the old Atari pole position game.

Seriously? Yeah I know they also updated auto pilot, put in a new animation
for setting vents, and such, but I really don't need the easter eggs when
there are so many programmable features this car should already have and audio
support including the mentioned blue tooth support is all easily a decade
behind what other cars have. hell our energy meter is a joke, it won't break
out power used to move from that to maintain the pack, doesn't want to count
when I am not moving, and blends in the HVAC. Auto hi beams that are spastic
and auto wipers that are just, well odd.

Sorry for the ramble but the security stunt is one thing but non essential
crap like easter eggs is just more things to break or be exploited. bring the
cars customer facing electronics up to date before farting around more.

love my car, have serious doubts about their priorities.

~~~
nindalf
Do you believe programmers are fungible? That the ones who wrote the easter
eggs could easily be reassigned to work on a specific feature you want? Have
you considered that maybe only a handful of employees have expertise in
bluetooth, were working on the feature you want, while others were making the
easter egg?

It's because of entitled comments like this that companies don't develop
easter eggs. They know that someone who doesn't understand how software
development works will ask this very question - "why easter eggs? Why not that
one feature I want?"

~~~
jdblair
That's not why companies don't develop Easter eggs. It's because: 1) Easter
eggs are features. 2) Features cost time and money. 3) Features almost always
also add bugs. 4) Easter eggs usually aren't in the test plan.

What you get is something that costs money and has the chance to decrease the
quality of your software.

Now there are intangibles that make Easter eggs worth it. Mostly, you have to
keep the developers happy. But don't act like they have zero cost.

Full disclosure, I shipped an easter egg in the Sun x86 service processor
about 11 years ago.

~~~
semi-extrinsic
I'd argue that the Tesla stuff here isn't really Easter eggs as traditionally
understood; which are stuff put in by devs having fun; and then it's either
not spotted or ignored by management. Easter eggs are usually somewhat hidden,
and require some degree of intelligence to appreciate. The Tesla stuff is lame
"fart apps" that were clearly put there under instructions by some PR guys or
Musk himself. No developers were kept happy in this process.

~~~
zaroth
The apps are part of a marketing plan, and I personally doubt that devs didn’t
have fun building them.

My kids gleefully get to “drive” my Tesla using the steering wheel to play
Pole Position. They snicker when we goof around with the whoopie cushion.

It’s hard not to be positively influenced by something that gives your
children joy. I appreciate that there are these bits in the software which are
whimsical that my family can play with.

------
wil421
This will be interesting. A Jeep Cherokee was hacked a couple years ago. The
results are pretty bad. It cost Chrysler a lot of money in recalls to fix the
issue.[1]

[1][https://www.wired.com/2016/08/jeep-hackers-return-high-
speed...](https://www.wired.com/2016/08/jeep-hackers-return-high-speed-
steering-acceleration-hacks/)

~~~
joezydeco
Seems like Tesla could fix security holes remotely. Chrysler could not.

~~~
rootusrootus
The ability to remotely patch a car seems like a double edged sword. Hasn't
Tesla already had at least one example of introducing a bug through OTA
updates?

~~~
HeyLaughingBoy
I consider that an issue with the software quality, not with the update
mechanism. The bug would still have been introduced even if it required a trip
to the dealer to plug in a programming cable.

~~~
falcolas
At least, when it's updated by a dealer and a cable, you know when to expect
changed behavior. With OTA, the vehicle's driving behavior could (and has)
quite literally change overnight.

~~~
HALtheWise
I'm pretty sure you still need manual confirmation in the car, and it shows
you patch notes when you next get in, so you should have reason to expect
changed behavior.

------
devy
Regardless, how good/bad Tesla software will fair with the security contest,
this is the best possible way to improve product security within a short
amount of time, just like the cat-and-mouse game Apple play with the
Jailbreaking community.

~~~
anonymfus
> just like the cat-and-mouse game Apple play with the Jailbreaking community.

That cat-and-mouse game discourages people from reporting vulnerabilities. Why
you think that it improves security?

------
anonymfus
> Entries against “Key Fobs or Phone-as-Key” target must achieve code
> execution, arbitrary vehicle unlock, or arbitrary vehicle start using
> protocol-related weaknesses. Entries related to Key Fob relay or “rolljam”
> attacks are not allowed

Does that mean that they think that such attacks are too easy? If they use
rolling codes, will they classify any attack with jamming as "rolljam"? If
they don't, why specify this?

~~~
glitchc
Was just at RWC 2019. The Tesla Model S keyfob has been successfully hacked.
Here are the slides for the same talk (CHES 2018):

[https://ches.iacr.org/2018/slides/ches2018-rump-
talk14-slide...](https://ches.iacr.org/2018/slides/ches2018-rump-
talk14-slides.pdf)

~~~
termie
This is from mid 2017. "First notified Tesla on 31/08/2017 .. Tesla vehicles
produced from June onwards use a new key fob". Not sure if the new fob is
significantly better as the presentation is not clear there.

~~~
opencl
And the "fix" for people who bought the car before then was adding an option
to disable the automatic unlock (so you have to press a button) and/or require
entering a PIN to actually drive the car.

------
auiya
If my understanding of the pwn2own event is correct, it's not a CTF event and
the exploits are typically developed in advance, and then demonstrated during
the event? If there are 2 or more exploits which all work reliably, who is
determined to be the "winner"?

~~~
anotheryou
I found the tesla rules: you need to exploit as many systems as possible as
hard as possible:
[https://static1.squarespace.com/static/5894c269e4fcb5e65a1ed...](https://static1.squarespace.com/static/5894c269e4fcb5e65a1ed623/t/5c36468c1ae6cfc9ce0a7a9f/1547060891346/01-Tesla_Table.png?format=750w)

via [https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-
van...](https://www.zerodayinitiative.com/blog/2019/1/14/pwn2own-
vancouver-2019-tesla-vmware-microsoft-and-more)

------
tachang
This is some seriously good marketing. Tesla is in a unique position to offer
their car up as a prize and target. Other manufacturers could do this but
because it is hard to update their firmware they don't do it.

------
mcv
What prize do you get for pwning it sufficiently to make it drive off on its
own? Sounds like that would be the ultimate hacking competition: you get the
car if you make it drive to your own home.

~~~
imeron
250k USD as stated in the article. You can get several Teslas for that money
:D

~~~
qmarchi
You also win a Model 3.

~~~
mcv
But do you win the Model 3 you hacked, or do you first need to buy one to
hack, and then you win another one?

On some level, winning the thing you hacked doesn't sound like the best kind
of prize.

~~~
jdironman
Well, you broke it. It's yours now.

------
dsfyu404ed
Undergrads at various universities regularly pwn vehicle systems and write
reports about it for academic credit. The M3 has a lot more surface area than
the typical car most people are hacking. My prediction is that the M3 is gonna
get chewed up and spit out. This isn't a "will it get pwned" competition it's
a "who will pwn it best/fastest" competition.

------
amelius
Do you get physical access to the inside of the car first? Or does the hacking
have to happen from the outside of the car?

------
darkhorn
It looks like Tesla doesn't update many parts of its OS;
[https://www.reddit.com/r/teslamotors/comments/ag6r2f/please_...](https://www.reddit.com/r/teslamotors/comments/ag6r2f/please_help_our_turkish_tesla_community_reach/)

------
r00fus
This is a great contest. The value of winning a Tesla will be more than the
value of the Model3 up for grabs.

And it's relatively cheap for Tesla to pay out to get these vulnerabilities
found and addressed.

------
anotheryou
I give it 67 seconds

edit: there is nothing stopping someone from leasing a tesla, finding an
exploit and shooting it within the first 10 seconds, no? In general, how does
this work at pwn2own?

------
virtualmemory
Anyway they have bitquark for security. Who can find vulnerability in the
Tesla products ?

------
swarnie_
> And the first successful researcher can also drive off in their own brand
> new Model 3 after the competition ends

If you've successfully hacked a car and shared your method would you then get
in said car and drive it away? I'd like a patch or at least a factory reset
first....

~~~
Canada
Whoever pwns the Telsa probably doesn't even live in Vancouver, so no, they're
not going to drive off in the target vehicle. Telsa would have to arrange to
provide one where they live, and yeah, I think it's safe to say that one would
already be patched!

------
rhexs
Nice marketing stunt, but how many security researchers already have a Model 3
or are going to buy one to do this?

Guessing just already-successful firms / personalities that want to win Tesla
pen-testing contracts in the future?

Or has Tesla released binary blobs of their firmware systems online?

~~~
superobserver
Given enough time, we may find out. Does Pwn2Own have any stipulations against
'gaming' their events?

~~~
Canada
Exploits are already developed prior to the event. It's not a CTF where one
can reasonably be expected to find and develop an exploit during the contest.
Players get limited time to tweak what they've got in case it doesn't work,
but that's it.

~~~
superobserver
Well, my understanding is that there's a submission then various teams are
apprised and given x hours to complete, where x would obviously be greater
than twenty-four, and not necessarily handled in one setting, such that
there'd be a 'reveal' disclosing successful contestants. So it looks like I
wasn't mistaken there.

But that still does not address the matter of rigging and whether Pwn2Own has
clear rules against it. I don't know, which is why I asked.

~~~
Canada
Not really, it works like this:

Prior to the "contest" beginning everyone participating has to disclose what
they have 0day for. In cases where more than 1 person brings 0day for a
particular target then they will attack it in turn. The order they get to go
in is random. When it's someone's turn they get like 5 minutes to exploit the
target. If they can't do it then it's the next person's turn. Whoever exploits
it first wins. So if you have 2 people each with a reliable exploit for the
same vuln in the same target then who wins is really decided by the coin toss.
But let's not forget what this really is: vulnerability sales. So if there's 2
different vulns in the same target then probably the sponsor is going to want
to buy them both anyway.

What is it that you mean by rigging? The main point of the event is that
sellers feel safe exposing their warez. The rules are clear, they're going to
get paid if they have what they say that have. The sponsors get to buy the
0day and know it's real and they're not getting ripped off. And it's all in
the open and everyone gets good press.

