Tesla Model S Can Be Hacked, And Immobile (Which Is The Real News)
Hackers say they took control of a Tesla Model S through the car’s computers. Tesla Motors says it is updating its systems with a patch to fix the vulnerability. Tesla Motors hide caption
Hackers say they took control of a Tesla Model S through the car’s computers. Tesla Motors says it is updating its systems with a patch to fix the vulnerability.
Cars have become computers on wheels. Crash the computer, and you could crash the car.
Two hackers determined they desired to attempt doing that with a car that’s considered pretty strong in terms of software, not just hardware. They chose the Tesla Model S. And — guess what — they broke in. But that’s not the surprising part. The surprising part is how Tesla responded.
Meet the two hackers: Kevin Mahaffey is a co-founder of Lookout; Marc Rogers is a principal security researcher with CloudFlare. Both cybersecurity firms are based in San Francisco.
They came to Las Vegas to attend DEF CON, a conference where hackers exchange tricks of the trade. These two are "white hats" — people who break into networks to look for flaws and get them immobilized.
Here’s how Rogers explained the hack: Tesla cars have a cable inwards, which maintenance people can access to fix things. That cable is hidden, in a secret panel, either to the left of the driver or under the touch screen.
Pop it open, find the cable and cork into it.
"It doesn’t instantly give you access to anything," Rogers continued. "You have to do a few special things." Like poke crevices in the software and look for bugs, for example.
All Tech Considered
The Ghost In The Car May Be A Hacker
All Tech Considered
With Smarter Cars, The Doors Are Open To Hacking Dangers
The team found a few. The very first gave them access to the car’s network. The 2nd got computers on the network to leak information about "how accounts suspend together or maybe about how computers talk to each other," Rogers says.
With a fuller picture of how things work, Rogers and Mahaffey were able to persuade computers at Tesla headquarters that their laptop was the car.
"We spoke to Tesla as the car, and essentially requested permission for more information," Rogers resumes. Tesla’s networks transferred over data. The hackers tore it apart, analyzed it and got administrative access to the car.
"Once we had that foothold, we then took over all the computers in the car," Rogers says.
Rogers and Mahaffey then built themselves a back door, a way to control from afar. With that back door, they brought a real-life Model S to a grinding halt.
They made a recording to document their hack. In it, Mahaffey gets into the Model S and puts on "Call Me Maybe" by Canadian singer-songwriter Carly Rae Jepsen.
He drives very leisurely through a parking lot. Rogers sends a instruction, through his iPhone, to shut down the car. And the Tesla stops dead in its tracks. The stereo shuts down, too.
If you happen to own a Tesla, this might not be music to your ears. But the reason it’s good news is that unlike other automakers, Tesla actually has a system in place to fix bugs: regular software updates.
"This is something that seemed fully natural, in the DNA of how you build a connected product," says JB Straubel, Tesla co-founder and chief technology officer. "This is not a fresh concept in any way, form or form."
Not fresh for Tesla, anyway. The company does over-the-air updates, kind of like Apple does for iPhones. Every three months or so, every car gets a free software upgrade. No need to go to the mechanic for it.
The original intent wasn’t security. (That’s more a nice side effect.)
"It was built to give people content that they dreamed to use," Straubel says. "And that’s still the main function, whether that content is streaming music or streaming maps."
The two hackers emailed Tesla about the bugs they found. Straubel and his team invited them in for a meeting and got details, figuring it’s better that Tesla knows before the bad guys do. Tesla says it’s sending over-the-air update patches to all Model S customers.
Auto Industry Fights With IT
Other companies have come under fire recently for not having a user-friendly system in place. Last month an article in Wired magazine described how a driver lost control of his Jeep Cherokee when two hackers remotely took over the car’s computers.
In response, the car’s manufacturer, Fiat Chrysler Automobiles, recalled 1.Four million cars. Fiat Chrysler also asked Sprint to issue a makeshift fix over its network.
Earlier this year, a report by Sen. Ed Markey, D-Mass., found that automakers have fully adopted technologies like Bluetooth and wireless Internet access but have "not addressed the real possibilities of hacker infiltration into vehicle systems."
The team that hacked Tesla says all carmakers should suggest over-the-air updates, and do so free of charge.
"If you require an Internet subscription for the car, maybe ten percent of people will sign up," Mahaffey says. "That doesn’t work."
He and Rogers will present their findings at DEF CON on Friday. They also suggest that automakers create a strong separation inbetween the driving and infotainment systems inwards vehicles, and build security rigorously into every component (a concept known as "defense in depth").
Ulf Lindqvist manages R&D projects in infrastructure security for SRI International. He says the not-for-profit research center is working with federal regulators on a fresh effort to help traditional automakers audit the cybersecurity of vehicles and build safer software systems.
"Good things are happening. It’s not going to be superfast, but we’re getting there," he says.