Depending on who you ask, it could be the most- or least-predictable development in vehicular cybersecurity: vulnerabilities in wired vehicles. Researchers at Wired discovered several of them in Tesla’s Model S; some of which they were able to actively exploit.
Lookout co-founder Kevin Mahaffey and CloudFlare Principal Secutity Researcher Marc Rogers spent two years pouring over the Model S, looking for potential exploits, eventually uncovering half a dozen vulnerabilities. The most severe among them required physical access to the car–the electronic equivalent of hotwiring.
With physical access to the vehicle, the researchers were able to start the car with a software command and drive it. While operating the vehicle, they were also able to plant a Trojan that allowed them to remotely manipulate a limited number of core vehicle functions, including shutting the car off while somebody else was driving it.
In outlining some of the vulnerabilities for Wired, the researchers pointed out that Tesla’s overall security is very good. The “gateway” between connected services and core vehicle functions operated effectively.
They also pointed out that the company was eager to work with them to seal off the software pathways that could potentially allow for remote access to vehicle functions, which was reportedly not the case with the FCA hack.
And while Tesla’s connectivity may expose its vehicles to more threats, it also allows the automaker to address them quickly and remotely. The collaboration between Tesla and the Wired researches resulted in a patch that has already been deployed; the vulnerabilities were effectively eliminated before anybody outside of the research team and the manufacturer was made aware of them.
By contrast, owners of FCA vehicles have to be reached by way of a traditional recall process and then have to use a USB thumb drive to patch vulnerabilities in their onboard systems.
The researchers plan to discuss the comprehensive findings of their exploration of the Model S software system at the Def Con hackers’ conference in Las Vegas.
Leave a Reply