Tesla’s Model 3 is a big target at the next Pwn2Own

The hacker competition added an automotive category for its upcoming event in Vancouver, with the full blessing of the car company. One winning researcher will be able to claim the car itself.
(Tesla Model 3 / Tesla)

The hacking competition Pwn2Own is adding an automotive category to its March event in Vancouver, and participants will be able to take a crack at one of Tesla’s top models.

The additional category is the result of a new partnership with Tesla, according to Japanese cybersecurity company Trend Micro, which runs Pwn2Own via the Zero Day Initiative (ZDI). The contest features live demonstrations of previously unknown security exploits, with hackers winning cash prizes for successfully showing off new zero-days.

Contestants in the automotive competition will focus on the Tesla Model 3, one of the best-selling luxury cars in the past year, Trend Micro said. In addition to cash prizes, one of the cars is also up for grabs for the “first successful researcher,” ZDI said.

“Since 2007, Pwn2Own has become an industry-leading contest that encourages new areas of vulnerability research on today’s most critical platforms,” said Brian Gorenc, Trend Micro senior director of vulnerability research, in a press release. “Over the years we have added new targets and categories to direct research efforts toward areas of growing concern for businesses and consumers.”


Trend Micro said the auto category comes as a continuation of the focus on Internet of Things devices at Pwn2Own’s Tokyo competition in November. IoT was a new category and contestants chose to focus on mobile devices. No IoT exploits were demonstrated. However, ZDI does run crowdsourced vulnerability testing of smart devices through a separate program.

Tesla in 2012 became the first car company to issue over-the-air (OTA) software patches, underscoring the increasing connectedness of consumer technology. Often, the more connected things are, the more gateways there are for potential hacking.

“Since launching our bug bounty program in 2014 – the first to include a connected consumer vehicle – we have continuously increased our investments into partnerships with security researchers to ensure that all Tesla owners constantly benefit from the brightest minds in the community,” said David Lau, Tesla’s vice President of vehicle software. “We look forward to learning about, and rewarding, great work in Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems.”

Trend Micro says more than $1 million in prizes is on the table at the Vancouver contest. In the Tesla category, bounties range from $35,000 to $300,000 — in addition to the prize car itself — based on the severity and execution of an exploit.

Familiar Pwn2Own categories are back, of course, such as web browsers, virtualization software from VMWare and Microsoft, enterprise applications from Adobe and Microsoft, and Microsoft’s remote desktop protocol software.

Latest Podcasts