Tesla Hacking Incident Shows Tesla’s Software Superiority
Originally published on EV Obsession.
I saw an interesting note on the Tesla Motors Club forum a few weeks ago about some “white hat hackers” who were going to hack a Tesla Model S at a big hacker event and thus reveal some vulnerabilities that Tesla should address.
It was an interesting read about white hat hacking and various ways of revealing vulnerabilities to big (and small) companies and governments.
I was curious what the hackers would actually do, but I wasn’t too concerned since I figured Silicon Valley–based Tesla had a superb security team and hadn’t left many holes in place.
Indeed, the hackers actually had to break into the Tesla Model S physically first, and then wire it up with an Ethernet cable in order to gain any access to it remotely. Already, this shows how strongly Teslas are protected, that you can’t really hack it remotely unless you break in and hack it physically first.
But anyhow, once in, what can you accomplish? The hackers, Kevin Mahaffey, CTO at Lookout, and Marc Rogers, principal security researcher at Cloudflare, could “manipulate the speedometer to show the wrong speed, lower and raise the windows, lock and unlock the car and turn the car on or off.” Doesn’t sound like a big deal considering they had to first break into the car anyway to do these basic things. Of course, a good spy movie would use these vulnerabilities wisely, but otherwise…?
Aside from those things, if the car was driving 5 miles per hour (8 kilometers an hour) or slower, they could shut down the car and stop it. Hmm, 5 mph, eh? (Yawn.)
No offense to the hackers, of course, but the point is that Tesla has done a pretty excellent job of protecting its cars. Above 5 mph, if a Tesla was hacked in such a way as to turn the screens black, the driver could still maintain control of the steering wheel and pull over until things got worked out.
Anyway, based on the slight security vulnerabilities these hackers identified, Tesla’s security team quickly patched up the holes and issued an over-the-air update. No other car company I’m aware of implements such updates (something the white hat hackers praised Tesla on), and here’s yet another reason to be in awe of how deeply Tesla is disrupting the car industry. It’s one of Tesla’s 5 big competitive advantages, imho. Imagine if these hackers decided to show the world what can be done with some of the other vehicles on the road… like the ones from Detroit-based companies.
Image by Zachary Shahan | EV Obsession | CleanTechnica (CC BY-SA 4.0)
Have a tip for CleanTechnica? Want to advertise? Want to suggest a guest for our CleanTech Talk podcast? Contact us here.
CleanTechnica Holiday Wish Book
Our Latest EVObsession Video
CleanTechnica uses affiliate links. See our policy here.
https://thescene.com/watch/wired/hackers-wireless-jeep-attack-stranded-me-on-a-highway
Right. 😀
Right! That will never happen.
😉
The easiest car hack is a knife to the tires. If you want remote death just use a bomb. There are tons of cheap ways to make them and it only needs enough power to blow out a tire and the brakes.
So to be clear, you are saying that its okay for a car’s computer system to be insecure and easily hackable just because someone can already plant a bomb on the car? Compromising a car’s computer system can do so much more than just crash the car. You could spy on the drivers whereabouts. You could fake the logs to make it seem as if the car was somewhere it wasn’t. You could imply that the owner committed a crime by putting the car at the scene of a crime. You could steal the car. Literally the sky is the limit. Soon people won’t think of their car as a vehicle with a computer, but as a computer with wheels. Each and every year computers become more ingrained in our lives.
A more secure computer system will always be better than a less secure system. A more secure system will save lives and money. And not just a few lives and a few dollars but thousands of lives and billions of dollars.
“you are saying that its okay..”
No where did that comment make ANY suggestions or judgements that would imply that it’s okay to do anything.
The only thing that it implies, is that there has always been a danger to vehicles if a malicious person has physical access to the vehicle. We accept those risks, because it’s old news. Just because there are new things that may happen, doesn’t mean we should go crazy with fear. Patch the systems as best we can… but this isn’t the big vulnerability that the media is making it out to be.
I am all for Uber, Lyft and will use bus, train as much as possible.
Short distance, I have a good bicycle and many pairs of shoes.
I go with a simple phrase, don’t have too many headaches over your little head.
And I’ll give you another simple phrase.
“Don’t post off topic comments.”
Once they have physical access there is no security, whether you have computers in your car or not. At that point the best anyone can (try to) do is alert the owner that the car has been broken into. This is just inane FUD because people are unused to change. We should build secure systems, but the most important security factor is remote access.
I think coming outta E-financial Musk learned that security comes first. If financial electronic transactions have ever been successfully “un-consenting NSA” hacked the industry has been secure and efficient enough to shut news of it from ever getting out. The more paranoid part of my mind thinks they probable have special contracts that make sure things remain hush hush but that is just part of my brain that comes up with movie plots so lets just ignore it.
Physical access to your car isn’t really a “hack”…..
Just like getting on someone’s facebook because they walked away while logged in… isn’t “hacking” either.
The perpetrator pwns the car once they have physical access. Even without skill, they could tamper with brake lines, mount a GPS tracker, or even fill your airbag with shrapnel.
Last time I had a car breakdown it was a software problem that made it go into limp home mode. I had to bring it to the service centre to get a software update.
Awesome…. last time I broke down, it was a mechanical problem and I needed a tow truck.
I limped home and got a flat bed tow truck from there.
If it were a Tesla, their service techs come to you.
Yeah, this is a disruptive side of Tesla that I think doesn’t get enough credit. And I just keep wondering, what will it take the big automakers to get to OTAs?
I’m not sure I’d trust mainstream automakers with OTAs. With Tesla’s paypal/Internet background I’d trust them more not to kill me with an OTA.
I trust automakers less with software that isn’t OTA updated. When a zero day is discovered, you will likely have that vulnerability for months.
I suppose the biggest threat is the OTA mechanism being hacked.
Well, the OTA mechanism is a pretty long standing, robust system.
The BIGGER threat, by far, and the way more hacks are successful, are the millions of low hanging fruit devices that go unpatched because the update mechanism is too inconvenient.
Yes and no. Cheap/easy updates allow authors to become sloppy, shortening or relaxing testing because “we could just push another fix anyway”, and effectively using customers as final testers.
Accelerating release cycles also impacts quality, and defects can easily include security lapses (those are typically not well covered by automated testing).
IMHO all the mission-critical components of a car should be rock-solid in the first place, with absolutely no need or even possibility of updates (and therefore tampering) outside well-controlled conditions (physical access, signed binaries, etc).
I can’t see any reason why a properly-designed airbag controller would ever need to be remotely tweaked, for example.
That has nothing to do with security updates… And more to do with regular software releases.
Companies face pressure to release on deadlines, even if still buggy or insecure because of competitors are racing too.
Nobody else is making software for Tesla. They don’t feel pressure to rush.
Indeed. Same here.
Its just as well they chose a secure operating system for it. Had they chosen Windows, they could have been in all sorts of trouble as its just about the only operating system that can be hacked without physical access to it
“as its just about the only operating system that can be hacked without physical access to it”
Not even close. Windows does have many vulnerabilities because of how much code there is inside… but really Linux and Mac also have plenty of remote exploits.
Think about how many websites get hacked… most of them are Apache servers running on Linux.
The original remote hacking was done to Unix systems that used phone lines.
“but really Linux and Mac also have plenty of remote exploits.” – no linux doesn’t, windows is the poster boy of all remote exploits thats why all the big websites don’t use windows.
Yet the big websites still get hacked. Yes, Windows has more vulnerabilities, and they are attacked way more because of their market share…
But YES, there are plenty of remote exploits for Linux and Mac
So the hackers could “turn the car on or off.” Not a big deal eh?
Modern cars all have theft prevention systems that make it hardly impossible to start the car without the physical key (which contains a software key that the engine’s computers require to start).
So the hackers proved you can ‘easily’ steal a Tesla once inside. Breaking into a car is child’s play for a car thief.
Many cars can similarly be tricked into On, and getting in isn’t quite child’s play, especially given these same cars have keyless entry.
If you wanna bust a window, dig electrically to install the ethernet, wait on your laptop to recognize it turn it on and then drive, doesn’t sound much easier than picking a lock and cutting some wires to spark.
Not just that but most thieves are after parts and electrics an hybrids have too much custom parts to easily resell. Hence why they’re the least stole cars by a decent margin.
White hats aren’t the most imaginative, hence the physical point of entry, they’re pretty much the bottom of the food chain.
I’m sure if it’s at all connected to the outside world there are other exploits. The story itself seems like some PR firm addressing worries brought on by remote hacks of other vehicles and a means to assure the rich their cars are safe.
Pretty much the synopsis is void/null by design. As much as it looks great to Tesla consumers all the study achieves is making a red black or green hat want to outdo the white’s point of entry, a challenge as it were to point out how amatuer ‘square’ white hats are.
Give it a couple years for an article to tell a much different tale.
What an idiotic headline. This is like those companies claiming for example that their homegrown crypto is safe because none broke it yet — that they know of, at least.
Not knowing of security problems proves precious nothing. At most, it indicates that either none bothered to try hard enough yet, or worse, that whoever found vulnerabilities preferred to keep or sell them instead of disclosing them.
The author goes even further:
Just like, wait, all the other billion+ vehicles on the road today, save for the million-or-so affected by the recent Fiat/Chrysler spectacular and inexcusable screw-up.
So @ZShahan3:disqus, as thankfully none of the vehicles sold GM, Ford, Toyota, Honda, Nissan, VW, etc etc have been remotely compromised yet as far as we know, shouldn’t you hail this as proof of their “software superiority” too? Each with its own article, complete with praises for its “superb” team and all?