Tesla, Microsoft and Ubuntu bugs found during Pwn2Own hacking competition
Jonathan Greig May 20, 2022

Tesla, Microsoft and Ubuntu bugs found during Pwn2Own hacking competition

Tesla, Microsoft and Ubuntu bugs found during Pwn2Own hacking competition

Several bugs in Microsoft, Ubuntu and Tesla products were found and exploited during the three-day Pwn2Own hacking conference in Vancouver this week.

The conference – organized by Trend Micro’s Zero Day Initiative – gives hackers a chance to earn money in exchange for discovering and exploiting vulnerabilities in popular products. 

By the end of day two on Thursday, the conference had paid out $945,000 in rewards, including $75,000 to hackers with offensive security company Synacktiv for two unique bugs found in the Tesla Model 3 Infotainment System.

The bugs allowed hackers to take over some of the car’s systems.

The Zero Day Initiative also ended up purchasing a vulnerability in the Tesla Model 3 Diagnostic Ethernet and disclosing it to the car manufacturer. 

A security engineer at Sea Security Response, Bien Pham, and a team from Northwestern University demonstrated two ‘Use After Free’ elevation of privilege vulnerabilities on Ubuntu Desktops. Use After Free bugs are vulnerabilities that occur because of issues with how applications manage their memory. The memory corruption bugs are typically used to attack and exploit browsers. 

The Northwestern University team. Image: The Zero Day Initiative

Another Use After Free bug was found in Ubuntu on day three of the competition alongside other Microsoft Windows 11 vulnerabilities. 

The first day of the event saw 16 zero-day bugs exploited in Ubuntu Desktop, Apple Safari, Oracle Virtualbox, Mozilla Firefox, as well as Microsoft’s Windows 11 and Teams. 

More than $800,000 was awarded for the 16 zero-days exploited. 

The competition, which marked its 15th anniversary this year, featured 17 contestants from dozens of cybersecurity companies targeting 21 different products across multiple categories. STAR Labs led the way at the end of the second day with total earnings of $270,000. 

Vendors have 90 days to produce a fix for all vulnerabilities disclosed during the competition. 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.