By Aaron Luo (Sr. Staff Engineer, Automotive) and Vit Sembera (Sr. Threat Researcher, Automotive)
Pwn2Own Vancouver 2023 came to an end last week with phenomenal results. Nine teams joined this year’s spring edition of the biannual hacking competition, which was held from March 22 to 24 in Vancouver, Canada. Between them, they demonstrated 27 unique zero-day vulnerabilities in systems and products from well-known vendors, such as Adobe, Apple, Microsoft, Oracle, Ubuntu, and VMware. And with two successful hacks, the Tesla entries turned out to be among the event highlights.
Last year, Synacktiv landed a win in Pwn2Own 2022 when the team successfully demonstrated an attack exploiting two vulnerabilities in the ConnMan binary used by the in-vehicle infotainment (IVI) system and two additional kernel vulnerabilities that ultimately allowed for remote code execution. Once the team had control of the system, Synacktiv demonstrated the attack by issuing CAN bus messages that affected the operation of other Tesla electronic control unit (ECU) components.
This year, Synacktiv returned to demonstrate two attack scenarios and reveal three different zero-day vulnerabilities. As a result, the team walked away with US$530,000 for the two attempts and, in keeping with Pwn2Own tradition, a Tesla Model 3 as well as the title Master of Pwn for this chapter of Pwn2Own.
Figure 1. The Synacktiv team in action
The first attack
Synacktiv successfully completed the first attempt on day one of the event. The hack targeted the Gateway of the Tesla Model 3 and it took the team less than two minutes to successfully complete. Synacktiv exploited a time-of-check to time-of-use (TOCTOU) issue in the Gateway, which ultimately resulted in the transmission of arbitrary CAN bus messages.
Figure 2. Synacktiv sending custom CAN bus messages
The second attack
Synacktiv’s next entry qualified for Pwn2Own’s first-ever Tier 2 award as it compromised two separate subcomponents of the Tesla, the Bluetooth/Wi-Fi chipset and the IVI system, to gain root access.
On the second day, Synacktiv came back to demonstrate an exploit of a heap overflow and out-of-bounds write zero-day vulnerability in the IVI system of the Tesla. This vulnerability was exploited through a Bluetooth attack that allowed the team to overwrite the IVI system screen with a custom image. Ultimately, the team was able to gain root-level code execution on the IVI system.
Figure 3. Synacktiv overwriting the IVI system screen with a custom image
Combining both attacks
Two hours after the IVI system vulnerability demonstration, Synacktiv attempted an additional challenge to combine both zero-day exploits (one from the first attack and the other from the second). It took the team about four minutes to exploit both vulnerabilities and gain access to the IVI system through the aforementioned Bluetooth remote attack. Finally, the team used the IVI system to send CAN bus messages via the Gateway.
The combination of the two zero-day exploits into one exploit chain in this event achieved remote penetration of the vehicle. Synacktiv was able to break into the IVI system from a remote location, and then further break into the Gateway inside the car, completing the entire attack path and realizing the dream scenario for hackers: remote control over the car.
Figure 4. Synacktiv combining both exploits to gain access to the IVI system and send CAN bus messages
While the first vulnerability would require physical access to the ECU wired port inside of the vehicle or an ECU that has already been compromised with an elevation-of-privilege attack, compared to the second attack, this one is simpler and easier to replicate. Thankfully, it involves a vulnerability that can be easily fixed.
The second attack, however, is the opposite. It involves a vulnerability that is harder for the vendor to mitigate, but it relies on a long and complex chain of exploits and is thus difficult to replicate. The second attack is also of particular note for being a successful remote attack that can lead to complete control over the car, despite the limiting initial conditions making successful attack even more difficult for an attacker.
Pwn2Own Vancouver 2023 recap
The technical details of these attacks are sparsely publicized to prevent real-world replications. However, what can be emphasized from the two discoveries is how it is even more imperative to prevent unauthorized access to the interior of vehicles and connection of compromised devices to cars for the complex roles they now play in the connected car ecosystem.
Ultimately, Pwn2Own, which is sponsored by Trend Micro’s Zero Day Initiative, is designed to bring vendors closer to the security research community. The vulnerability disclosures serve to reduce their chances of becoming real-world problems for industries such as the automotive industry by giving vendors time to address these bugs and work with the researchers who have discovered them.