Hard on the heels of the Jeep connected car hack shown off by Charlie Miller and Chris Valasek this month, a white-hat compromise of Tesla’s flagship Model S line has been demoed at Black Hat 2015.
Kevin Mahaffey, co-founder of the security firm Lookout, and Marc Rogers, principal security researcher at CloudFlare, showed how they were able to upload a Trojan back-door that allowed them remote access after connecting a computer to the car via a physical Ethernet connection. From there, they were able to remotely control functions, turn the car on and off remotely, hit the brakes if the car is moving under 5 MPH, and shift it into neutral at higher speeds.
Tesla has taken a number of different measures to address the effects of the in-total six vulnerabilities that were surfaced—and it has already deployed and developed an update to all Model S customers through an over-the-air patch that will automatically fix the issues.
Earlier in the summer, unnamed sources in the firm’s security operations leaked plans to let hackers take their best shots at the Tesla S, in the name of bug hunting.
“Our security team works closely with the security research community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating and updating our safeguards,” Tesla said in an official statement to media after the hack was revealed. “Lookout’s research was a result of physically being in Model S to test for vulnerabilities. We continue to develop further ways to harden our systems, informed by ongoing discussions with the security research community, as well as our own internal analysis.”
Connected car security is increasingly in the spotlight, with proto-hacks demonstrating everything from radio takeovers to navigation systems' hijacking. To address this growing but still somewhat little understood area of cybersecurity, a volunteer association known as "I Am the Cavalry" launched last fall, and Sen. Ed Markey (D-Mass.) has put out a disturbing report on the state of cybersecurity for automobiles.
Martin Hunt, senior business development director for the Automotive Global Industry Practice at BT told Infosecurity via email that the recent hacks are heightening the awareness on the part of automakers that they have forged a new frontier in cybercrime.
“This latest automotive security breach underlines the need for automotive firms to carefully test their vehicles before they come to market,” he said. “With systems within vehicles increasingly able to connect to various networks, vehicle cyber-crime is now a reality.”
He added, “Automotive firms should look to the established methods in place throughout the wider IT industry, like Ethical Hacking, for vehicles. Automotive manufacturers need to take steps to address possible vulnerabilities and fix them before they are exploited by cybercriminals.”
Earlier in the week, Valasek and Miller demoed a remote exploit for the Control Area Network (CAN) of a connected Jeep Cherokee—a hack that was made public last month. Chrysler is also rolling out security patches, but it’s doing it through the recall of 1.4 million vehicles and the shipping of USB drives to all affected owners. While recalls are the automotive industry’s standard response to flaws, the company has been criticized for not having a better system in place to handle cyber-issues in more of a real-time way and in line with security best practices.