August 7, 2015
Hackers exploiting security loopholes in vehicle technology seems to be a prevailing trend in the auto industry. The latest such vehicle security scandal has touched Tesla Motors, whose Model S engine was turned off by enterprising researchers whose results were published by Wired. To be fair, Tesla was able to address their vehicle hacking issues in a more expeditious manner than did Fiat Chrysler. Tesla developed a patch that allowed it to quickly and remotely deliver software updates. Because Tesla vehicles lack combustion engines, they can’t be hotwired in a conventional manner. Therefore, the two Wired researchers, Marc Rogers and Kevin Mahaffey, had to resort to “hotwiring” the Model S via a computer laptop. The method of operation for hacking through the Model S vehicle security, according to the researchers, would be to plug the laptop to a network cable behind the dashboard and either start the car manually with a software command or remotely with Trojan planted within the Model S network. Technically, calling what Mahaffey and Rogers did to the Model S a “remote hack” would be a bit inaccurate, as physical access is required to control the infotainment system. But thanks to a security vulnerability involving an out-of-date browser, hackers could in theory control a Model S vehicle via the web page. Rogers and Mahaffey were able to remote control most vehicle functions, including operation of the lock doors, the trunk, the radio and touch screen display. While the Wired researchers weren’t able to shut down the Model S remotely, the vehicle security issues they exposed were considerable. Mahaffey and Rogers say that they were able to pinpoint as many as six software security vulnerabilities with the Tesla Model S, which is about six more than Tesla would’ve desired. Of course, now that Tesla is aware of the vehicle security problems, the company has taken swift and decisive steps to address them. Tesla representatives say that the company has already taken steps to remedy the Model S hacking issue via a software patch. Tesla’s statement on the matter is as follows. “Our security team works closely with the security research community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating, and updating our safeguards.” In addition, Tesla announced this week the hire of Chris Evans, former head of security for Google Inc.’s Chrome browser, to lead the company’s security efforts. For their part, both Mahaffey and Rogers say that they didn’t have any ill intent when they hacked the Model S—their stated goal was to help make Tesla and the auto industry at large aware of lapses in vehicle software security. However, black hat hackers could’ve done significant damage with this information had Tesla not closed the vehicle security defects identified by Mahaffey and Rogers. Both Rogers and Mahaffey praised some security features in the software design of the Model S. In fact, quoting Mahaffey, “I feel more secure driving in a Tesla Model S than any other connected car in the world.” The two researchers will discuss their findings at the Def Con hacker conference in Las Vegas this Friday. Image Credit: BMW Blog