Pwn2Own Competitors Crack Tesla, Firefox, Safari, Microsoft Edge, and Windows 10

A research duo who hacked a Tesla were the big winners at the annual Pwn2Own white hat security contest, reports ZDNet. "The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition... They also get to keep the car." Team Fluoroacetate -- made up of Amat Cama and Richard Zhu -- hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its entertainment system... Besides keeping the car, they also received a $35,000 reward. "In the coming days we will release a software update that addresses this research," a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability.

Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 "Master of Pwn" points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10... [R]esearchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.

The other prizes...

Besides keeping the car, they also received a $35,000 reward.

That's nothing... the ones who cracked Firefox got a free copy of Firefox. But the worst deal of all were the ones who cracked Win10, for they were obligated to accept a copy of Win10. Perhaps they'll read the terms and conditions more carefully next time. Live and learn.

Telegram, guys?

[hcs_$reboot]

$300,000 for Cracking Telegram Encryption. How about that challenge?

Re:Telegram, guys?

[gravewax]

exactly, cracks for that sort of stuff are unlikely to pop up in a pwn2own competition, they are too valuable to give away so cheaply.

Re:Telegram, guys?

[hcs_$reboot]

cracks for that sort of stuff are unlikely to pop up in a pwn2own competition, they are too valuable to give away so cheaply.

That was the point. Unlike pwn2own, the Telegram prize is much more valuable, 300k ; and hackers would better try to crack this one.

Re:Telegram, guys?

[AmiMoJo]

Interesting that Chrome isn't one of the ones on the list though. Too valuable or too secure?

Re: Telegram, guys?

It's more about how the criteria are written. $80k for a breakout which allows full system control. Something that severe would probably qualify for the top end of Google's bounty, which would be close to $200k.

Why?

[AHuxley]

Is it the quality of the OS?
The code used the software is created in?
The skill sets needed to make a browser?
More testing needed?
Better testing?
Would something like Ada ensure better software?

Re:Why?

[hcs_$reboot]

The complexity hidden behind these apparently simple and easy to use programs.

Re:Why?

You get what you pay for. I write secure code. Unit tested & input fuzzed. I use a different more secure paradigm than typical C / C++ function call stacks (which put parameters & code pointers on the stack), None of my heap stores pointers to functions or v-tables. I employ hardware memory RW controls to ensure there are is no return oriented programming, stack smashing or heap exploits (my custom memory allocator keeps all record keeping data in read only memory unless a thread is in the alloc / free function, and I check permission to call this function by examining EIP (instruction pointer) AFTER unlocking memory (otherwise one could jump to the record keeping unlock code that temporarily marks the code writable) -- the check afterwards relocks the RAM pages if permission is not approved.

Hardware could speed up the mark & unmarking of certain pages while excuting code in a specific range (the memory allocator / etc "sensitive" user code), by providing an opcode and two registers to do so. However once software designers have a "turing complete" machine they pretend it is the holy grail and all things are possible thereby without sticking it to the hardware mfgs. On the old chipsets where there was no execution ring level permissions (such as MS-DOS & DR-DOS were made for) there was no way to prevent one process from writing over another's memory. Unless you run all your software in a VM you can not provide such protections on the old chipset. This demonstrates that some hardware capabilities are required for software security to exist within performance (speed) expectations. Now we have execution rings & memory virtualization. We can now isolate processes thanks to these hardware features. Now we also need to ensure that only certain functions (regions of code) can modify certain pages of process memory. We don't have that hardware capability and no popular OS provides it. I can emulate it via memory mapping and IPC and using a separate process to do all memory (de)allocation, but it is fucking slow as molasses...

TL;DR: provably secure software exists. You won't pay for security. You don't get developers like me. We have no clout to push for the HW features needed for securing your platforms. Also, spies.

Re:Why?

[AHuxley]

Every year the software people need to trust and use keeps on not been secure.

Re:Why?

[RespekMyAthorati]

English?

Easy

[wolfheart111]

Peasy...

What does Tesla's web browser run on nowadays?

[Pinky's+Brain]

The last time they had a browser hack the hackers could control breaks, do they have a decent hardware firewall in place now or is it still a shitshow?