A researcher known online as Nullze, discoveredthat the Tesla Model 3 web interface is vulnerable to a denial of service (DoS) vulnerability. The bug received the identifier CVE-2020-10558, and with it, an attacker could cause the car’s main touchscreen to stop responding to user requests.
“The vulnerability allows attackers to remove the speedometer, web browser, climate control, turn signals, navigation, autopilot notifications, as well as other functions from the main screen,” the specialist explains in his blog.
To exploit the vulnerability, an attacker must force the user to go to a specially crafted malicious web page. This page will provoke a crash of the Chromium browser interface and, in fact, will bring down the entire Tesla Model 3 interface. You can still drive a car, but in order to return the display to working, you will have to turn the car off and on again.
The researcher notified the company of the problem through an official bug bounty program on Bugcrowd. It is known that the company rewarded Nullze for detecting a bug, but the amount of the reward was not disclosed (usually Tesla offers from $ 100 to $ 15,000 for vulnerabilities). The vulnerability was fixed with the release of firmware version 2020.4.10, in February of this year.
Tesla owners who have not yet installed the update can examine the vulnerability using a proof-of-concept exploit published by Nullze. However, you can be satisfied with the video demonstration that the researcher laid out.