By Karla Reffold

At the Pwn2Own conference in Tokyo this week, researchers earned over $1 million by discovering 48 new vulnerabilities in automotive products, including ones by Tesla. While the security of Tesla cars often comes under scrutiny, we are yet to see any malicious activity against them. To mitigate risk, Tesla works with bugcrowd, a bug bounty facilitator, for their bug bounty program. They also take part in annual conferences and allow researchers access to both their driving and entertainment systems. Last year researchers found 27 vulnerabilities earning bounties of over $1 million and a Tesla Model 3 car.

At least one of the vulnerabilities discovered would give threat actors access to the modem of the car itself. As Tesla has 90 days to issue patches, limited details on the impact has been released.

While vehicle security is a top priority, Tesla has come under scrutiny for their privacy practices. Former employees have detailed company processes which invade customer privacy. For example, Tesla reportedly had access to camera footage from their cars showing individuals in their homes.¹

The Tesla headlines have all been accompanied by the words “zero-day” which follows a spate of headlines concerning zero-day vulnerabilities. However, the term can be misleading as it is used differently across news reports and can vary depending on context.

The definition of a zero-day is a vulnerability for which no patch exists. They pose a higher risk as software developers have not had time to issue a patch for them. Typically, this phrase is used when the vulnerability was not known to researchers and security professionals only discover their existence when the vulnerability is exploited by a threat actor.

Yet in the Tesla example, these pose a limited risk as these are not public and the company is working to issue a patch before making them known. Researchers have demonstrated the capability exists (aka issuing a proof of concept) but there is no evidence of these vulnerabilities being used by threat actors (aka in the wild).

It is important to note that zero-days may represent little risk to most companies. The majority of financially motivated attacks use tried and tested techniques and their high success rate means threat actors do not need to immediately evolve their attacks with each new vulnerability. While it is true that techniques have evolved quickly in the past few years, that immediacy is not always required.²

What has increased significantly in the past two years is the number of zero-days that have been discovered.³ There are several reasons for the increase. China is often the developer of zero-days and there has been increased cyber activity from them. Improved vulnerability prioritization and patching cadences have forced threat actors to adopt new techniques.

Zero-day vulnerabilities are increasingly expensive and difficult to develop. The sophistication required to exploit zero-days means only the most well-resourced threat actors are able to develop them. The best resourced groups are typically nation state threat actors, therefore, organizations at particular risk from these groups should be most concerned. Other organizations should take note of zero-days but they may have more time to patch depending on the group responsible for the exploit. The MOVEit exploitation is a notable exception to this theory as it was developed by the ransomware group Clop.

Research on how many vulnerabilities are ever exploited varies but few reports put the percentage in double-digits.⁴ Organizations can protect themselves by prioritizing those known to be exploited. Understanding how organizations go about prioritizing their vulnerabilities, their process for patching, and what risk-based prioritization looks like, may help identify which companies are at a higher risk. It may also help organizations to understand which threat actors they are most at risk from, and their typical tactics.

Key takeaways

• Tesla is interesting, but it has limited impact to other organizations
• Be mindful of how the zero-day phrase is used when reviewing news articles
• Understand how organizations prioritize patching when considering their risk

1 https://www.reuters.com/technology/tesla-workers-shared-sensitive-images-recorded-by-customer-cars-2023-04-06/

2 https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a

3 https://securityintelligence.com/articles/zero-day-attacks-are-on-the-rise-can-patches-keep-up/

4 https://www.zdnet.com/article/only-5-5-of-all-vulnerabilities-are-ever-exploited-in-the-wild/