Security Researchers Expose Tesla Model 3 Vulnerability at Pwn2Own 2019

A research duo who hacked a Tesla were the big winners at this year’s Pwn2Own white hat security contest held in Vancouver.

According to a new report from ZDNet, Amat Cama and Richard Zhu of team “Fluoroacetate” earned $35,000 USD for their exploit, along with the Tesla they hacked. The white hat hackers managed to display a message on the car’s web browser by exploiting a just-in-time (JIT) issue in the renderer component.

For their efforts, Cama and Zhu not only took home a prize of $35,000 USD, but according to the competition’s rules, they also won the Model 3 that they successfully hacked. The pair were crowned as the Master of Pwn for 2019, as they won $375,000 USD out of the $545,000 awarded in this year’s Pwn2Own.

The companies that participated in Pwn2Own have received the details of the bugs that were exposed in the event, and are given 90 days to release security patches to fix the vulnerabilities. Tesla, for one, is happy with what transpired.

“We entered Model 3 into the world-renowned Pwn2Own competition in order to engage with the most talented members of the security research community, with the goal of soliciting this exact type of feedback,” Tesla said in a statement, adding that the software update to fix the bug that was identified by Team Fluoroacetate will be rolled out in the coming days.

“In the coming days we will release a software update that addresses this research,” a Tesla spokesperson told ZDNet in regards to the Pwn2Own vulnerability. “We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today.”



This was the first time Pwn2Own had an automotive hacking category. Fluoroacetate targeted the Tesla’s infotainment system, but the rewards were much higher for components such as the modem or tuner, Wi-Fi or Bluetooth, key fobs (including the phone used as a key), and the Autopilot system. The highest reward, up to $250,000 USD, was offered for hacking the gateway, Autopilot, or security system.

The same duo of researchers also managed to demo exploits for Apple Safari, Oracle VirtualBox, VMware Workstation, Mozilla Firefox, and Microsoft Edge, allowing the Fluoroacetate team to dominate the competition, overshadowing the earnings of all other contestants.