Tesla Model S hacked, but vulnerability is already fixed, says company

Security researchers discovered a vulnerability in Tesla's Model S, allowing them to gain access to the vehicle. The company released a patch to fix the issue on Thursday.

Courtesy of Black Hat
Researchers Charlie Miller (at podium) and Chris Valasek present their car hacking technique at the 2015 Black Hat security conference.

A month after a Jeep Cherokee made headlines for being hacked on the highway – prompting the company to recall 1.4 million vehicles – experts are asking how best to make the modern automobile more secure.

Many are praising companies such as Tesla and BMW, who issue patches to their Internet-connected vehicles the same way that computer companies do. This mindset, along with Tesla’s “responsible disclosure” policy, is leaving many looking to the electric car company for advice on making cars “unhackable.”

Except Tesla vehicles just got hacked, too.

This week at the Def Con hacker conference in Las Vegas, two security researchers will explain how they were able to gain access to a Tesla Model S and force it to power down and stop. The report, posted on Lookout’s blog, was conducted by Kevin Mahaffey and Marc Rogers, both security researchers based in San Francisco. 

Once gaining access, the team was able to work through the entertainment system and connect to the Model S’s main control, allowing them to stop the vehicle.

Mr. Mahaffey noted in his post that Tesla did include several security measures that made the process difficult, and in many ways, the company is doing more to focus on cybersecurity for what has essentially become “rolling computers.” For example, the car would not come to an immediate stop unless it was traveling at 5 m.p.h. or less. If it were traveling faster, it would slow down gradually before stopping.

“Our research confirmed that Tesla indeed made a number of excellent security decisions in the design of Tesla Model S. It also, however, has a number of areas where we believe Tesla can improve,” he writes in the Lookout blog. “Overall, I feel more secure driving in a Tesla Model S than any other connected car on the road.”

The team contacted Tesla following the study, and “had a very positive interaction with the Tesla team.” One of the ways to fix automobile security, the researchers say, is to work together.

Their report also suggests that manufacturers secure components individually. While Mahaffey and Rogers needed physical access to the vehicle, they tell the Wall Street Journal that there’s only so much time before malicious (“black hat”) hackers realize how to access the car remotely.

“We assume that bad guys are going to be able to figure out remote access,” Mahaffey told the Journal.

Though Fiat Chrysler responded to its vehicle’s vulnerability with a 1.4 million vehicle recall – which essentially became a 1.4 million USB stick distribution – Tesla released a patch to fix the issue on Thursday.

This is the difference between Tesla and Chrysler, and something that more car manufacturers are looking to tackle: by treating constantly connected vehicles the same way companies treat computers and software issues, danger can be avoided and the company can save money. After all, recalls are expensive.

Automobile manufacturing is often not met with the same security concerns as personal computers or information. But if a malicious hacker gains control of a vehicle traveling on a crowded highway or pedestrian-clad street, more than just personal information could be at risk.

But vehicle companies are just starting to get involved with cybersecurity, though many flaws still remain. Many manufacturers only respond to dramatic stunts, while so many other vulnerabilities go unchecked and unfixed. The low priority given to security means that more vehicles could be compromised in the future.

The goal then, says Mahaffey, is to design vehicles for the future as if they are closer to the rest of 21st century technology, rather than closer to the Model T.

"The auto industry must now consider cybersecurity as an integral part to how cars are built, just as physical safety became a critical part of how cars were built in the late 20th century," Mahaffey writes.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Tesla Model S hacked, but vulnerability is already fixed, says company
Read this article in
QR Code to Subscription page
Start your subscription today