The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Hacking Cars For Fun and Profit at Pwn2Own

by Chris Brook on Wednesday March 27, 2019

Contact Us
Free Demo

Web browsers, virtualization software, even cars  – nothing was off guards last week at Pwn2Own, the annual hacking competition held each year alongside CanSecWest in Vancouver.

Two hackers, Amat Cama and Richard Zhu, working under the pseudonym Fluoroacetate, managed to hack a car - a first for Pwn2Own - Friday afternoon to close out the conference. The pair, targeting a Tesla Model 3's infotainment system, successfully exploited the car's internet browser, a feat that earned them $35,000 and the car itself. The successful attempt allowed the team to walk away from the competition with $375,000, more than seven times as much as any other group in competition this week. 

It took some time to confirm but according to the Zero Day Initiative, technically the duo exploited a JIT bug in the vehicle's in-browser renderer to win the car.

The hack put some wind back into the competition’s sails following news shortly after noon on Friday – early morning Vancouver time – that another group that was planning an automotive exploit, KunnaPwn, was going to withdraw their entry from the category. It was unclear at the end of the day Friday why KunnaPwn withdrew their entry; the group tweeted "We're running out of time. Looks like Kunna!Pwn this time" Friday morning.

The Zero Day Initiative (ZDI), which sponsors Pwn2Pwn with Trend Micro, announced in January that it was planning on expanding the competition's categories to include an automotive category. As part of the competition the ZDI said it would award different sums for different exploits, against the vehicle's key fobs, infotainment system, modem or tuner, and so on.

Earlier in the week, on Thursday, there were no failures; everyone who attempted an exploit succeeded, a rarity for the contest.

Mozilla's Firefox browser and Microsoft's Edge browser were hit early and often on the contest's second day.

Two hackers, Amat Cama and Richard Zhu, working under the pseudonym Fluoroacetate were able to bring down both - Firefox with a JIT bug and an out-of-bounds write in the Windows kernel, and Edge with a type confusion, a race condition in the kernel, and an out-of-bounds write in VMware. While both were impressive it was the Edge/VMware exploit that netted them the most cash: $130K.

Two other contestants, working solo, also managed to takedown the browsers. Niklas Baumstark, a German hacker, was able to chain together a JIT bug in Firefox and a logic bug to escape the browser's sandbox. Another hacker, Arthur Gerkis of Exodus Intelligence, a Texas-based threat intel firm, took down Edge with a double free in the render and a logic bug to bypass the sandbox.

Earlier in the week, on Wednesday, hackers managed to take down Apple's Safari browser, Oracle VirtualBox, and VMware Workstation

The Fluoroacetate team was responsible for breaking all three. They exploited the browser and managed to escape the sandbox by combining an integer overflow and a heap overflow, netting them $55,000. With their VirtualBox hack the two used both an integer underflow and a race condition, something which allowed them to escalate from the virtual client. The duo also used a race condition, which lead to an out-of-bounds write, on VMware Workstation. That exploit allowed them to go from the virtual client to executing code on the underlying host operating system.

Another group of hackers, working under the name Phoenhex & Qwerty, also took down Safari on Wednesday through kernel elevation, something that resulted in a complete system compromise through a cocktail of bugs including a JIT bug, a heap out-of-bounds read, and a time-of-check-time-of-use bug.

One of the group's hackers, Niklas Baumstark, clearly has a knack for owning Macs. Last year, working aside German hacker Samuel Groß, Baumstark used a JIT optimization bug in Safari, paired with a macOS logic bug, to escape Safari's sandbox.

Phạm Hồng Phi, a/k/a @4nhdaden, working under STAR Labs, a Singapore-based cybersecurity group, also took down VirtualBox on Wednesday. Phi managed to exploit VirtualBox, Oracle's open source virtualization product, via an integer underflow to escalate from the virtual client to execute his code at medium integrity.

Tags: Vulnerabilities

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.