Debuted in 2007, Pwn2Own is an annual high-profile hacking contest. At the event, contestants are challenged to exploit widely-used software and mobile devices with previously unknown vulnerabilities.
At the end, winners of the contest receive the device they exploited, a cash prize, and a "Masters" jacket celebrating the year of their win.
In the Pwn2Own's 2019 event, a pair of hackers, Richard Zhu and Amat Cam, known as team Fluoroacetate, "thrilled the assembled crowd" as they successfully demonstrated their hack on a Tesla Model 3 internet browser.
Here, the two hackers used a JIT (just-in-time) bug in the renderer to bypasses the car's memory randomization data that normally would keep secrets protected. The hackers successfully displayed their message on the hacked electric vehicle’s infotainment system, and won the prize.
This included $375,000 award and the Tesla Model 3 itself.
The 2019 Pwn2Own which was held on March 20 to 22 in Vancouver, featured five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category.
Pwn2Own awarded a total of $545,000 for 19 unique bugs found in Apple Safari, Microsoft Edge and Windows, VMware Workstation, Mozilla Firefox, and Tesla.
The event is the first time that a car is included In the annual hacking contest.
According to Tesla in an emailed statement:
"There are several layers of security within our cars which worked as designed and successfully contained the demonstration to just the browser, while protecting all other vehicle functionality.
Following the discovery, Tesla also said that it's releasing a software update to fix the vulnerability discovered by the hackers.
Tesla itself has had a public relationship with the hacker community since 2014, when the company first launched its bug bounty program. In 2018, the company increased the maximum reward payment from $10,000 to $15,000, and added its energy products as well.
Tesla’s vehicles and the company's hosted servers, services and applications are all in scope in its bounty program.