Hackers typically crack software, but web application security researcher Sam Curry quite literally cracked his Tesla Model 3 and discovered a vulnerability that earned him a hefty reward from the car maker's bug bounty program.
After a rock bounced up and damaged the windshield of Curry's very own Model 3, the seemingly unlucky happenstance actually led him to a vulnerability that he says could have allowed attackers to pull and modify live information about drivers' vehicles, and possibly view customer information as well.
The find earned him $10,000 from Tesla's bug bounty program, Curry reported in a July 14 post on his personal blog.
Curry (@samwcyo), who hails from Elkhorn, Neb., said he purchased the vehicle earlier this year, and in April 2019 attempted to find vulnerabilities in the "Name Your Vehicle" functionality as well as the web browser. At one point, while inputting the name of his car, he entered a particular line of code designed to hunt cross-site scripting (XSS) vulnerabilities.
Curry's efforts didn't immediately yield any significant finds. But then in June 2019, his car suffered that cracked windshield. Things got interesting shortly after the researcher used Tesla's in-app support feature to set up an appointment with a Tesla support agent.
"One of the agents responding to my cracked windshield fired my XSS hunter payload from within the context of the 'garage.vn.teslamotors.com' domain," Curry wrote in his post. This domain corresponded to a dashboard page that displays the vehicle's vital statistics, and is accessible via an incremental vehicle ID number in the URL. Curry noted that the dashboard appears to be an internal application that allows Tesla live support agents to send updates to cars or modify their configurations.
"There was current information about my car shown in the attached XSS hunter screenshot like the speed, temperature, version number, tire pressure, whether it was locked, alerts, and many more little tidbits of information," Curry explained. "Additionally, there were tabs about firmware, CAN viewers, geofence locations, configurations, and internal code-names that sounded interesting..."
Further investigation ultimately uncovered a vulnerability: "I didn't attempt this, but it is likely that by incrementing the [vehicle ID number] sent to the vitals endpoint, an attacker could pull and modify information about other cars," Curry wrote. "If I were an attacker attempting to compromise this I’d probably have to submit a few support requests but I’d eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what I'd want to do."
Curry said Tesla issued a hot fix less than 12 hours after he reported the issue to the company.
"This was an unusual way for a bug to come to the surface, but we have been incredibly impressed by the handling from both sides," said Casey Ellis, CTO and founder of Bugcrowd, which provides the platform for Tesla's vulnerability disclosure program. "It takes extreme maturity as a security team to find and fix quickly, particularly when presented with unpredictable and valuable input from the researcher community. Ultimately that's a place we'd like everyone to get to."
