Windows 11 Gets Slaughtered At Pwn2Own, Tesla Model 3 Hacked As Well

pwn2own logo
The past week, Vancouver was the site of the 2022 Pwn2Own contest, a timed test of skills for hackers and cybersecurity experts. This year marks the 15th anniversary of the contest, and 2022's gathering didn't disappoint. 17 contestants attacked 21 targets, including Apple's Safari browser, Windows 11, and even the Tesla Model 3's electronics.

The contest awarded a total of $1,155,000 this year, and the biggest payouts were for serious exploits against Microsoft's Teams utility. While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiązowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000.

pwn2own 2022 vancouver leaderboard

As far as the Tesla Model 3 goes, Synacktiv were able to demonstrate a sandbox escape exploit on the car's infotainment system. That could allow an attacker to take control of the car's built-in computer and, given another couple of clever exploits, could feasibly be the first step toward a remote attacker taking control of the car's autopilot system. The group earned $75,000 for the bug.

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked). There were a few failures, although the Zero-Day Initiative—who sponsors the contest—noted that most of the failed hacks were valid, and that the security specialists simply weren't able to get them working within the limited time allotted to do so.

Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.