This week, numerous bugs were discovered in the products of Tesla, Ubuntu and Microsoft in a hacking competition held in Vancouver, Canada. These bugs in the products were also exploited at the three day Pwn20wn hacking conference, organised by Trend Micro’s Zero Day Initiative. Essentially, this gives hackers an opportunity to gain profit in exchange for finding and exploiting the vulnerabilities in such popular products.
Towards the end of Thursday, May 19, which was day two of the competition, the conference had paid rewards worth $945,000. This included the $75,000 to hackers with offensive security company Synacktiv for a couple of unique bugs discovered in the Infotainment System in the Tesla Model 3.
These bugs enabled the hackers to take over the systems of some of the vehicles. Moreover, the Zero Day Initiative end up buying a vulnerability in the Tesla Model 3 Diagnostic Ethernet, going on to reveal it to the electric car maker.
A tweet from the Zero Day Initiative’s page:
The @Synacktiv team shows off their remote exploit of the #Tesla Model 3. Earlier today, this research earned them $75,000 during #Pwn2Own. pic.twitter.com/PZDCcJJvcE
— Zero Day Initiative (@thezdi) May 20, 2022
Bien Pham, a security engineer at Sea Security Response, along with a team from Northwestern University demonstrated two ‘Use After Free’ elevation bugs on the Ubuntu Desktops. These particular vulnerabilities are ones that occur owing to problems on how applications manage their memory. These bugs related to memory corruptions are mainly used to exploit and attack browsers.
Additionally, another one of this ‘Use After Free’ vulnerability was discovered in Ubuntu on the third day of the conference. Specifically, this was along with other bugs found in Microsoft Windows 11. The event’s opening day witnessed about 16 zero days vulnerabilities exploited in Apple Safari, Mozilla Firefox, Ubuntu Desktop, Oracle Virtualbox, along with Microsoft’s Teams and Windows 11. Notably, way over $800,000 was awarded for the 16 zero days that were found and exploited.
This competition held in Vancouver marked the 15th anniversary of it this year. Moreover, it exclusively featured about 17 contestants from several cybersecurity companies, who visibly targeted 21 distinct products. Clearly, these targeted 21 different products were from multiple categories. One to lead the way by closing of the second day on May 19 was STAR Labs, holding the total earning of $270,000.
Following the closure of the conference on Friday, May 20, vendors got a span of 90 days to generate a solution for the bugs and vulnerabilities revealed at the time of the competition. The hackers targeted products from multiple categories in the competition, including servers, automotive, web browser, virtualisation, enterprise communications and local escalation of privilege.