A month after a Jeep Cherokee made headlines for being hacked on the highway – prompting the company to recall 1.4 million vehicles – experts are asking how best to make the modern automobile more secure.
Many are praising companies such as Tesla and BMW, who issue patches to their Internet-connected vehicles the same way that computer companies do. This mindset, along with Tesla’s “responsible disclosure” policy, is leaving many looking to the electric car company for advice on making cars “unhackable.”
Except Tesla vehicles just got hacked, too.
This week at the Def Con hacker conference in Las Vegas, two security researchers will explain how they were able to gain access to a Tesla Model S and force it to power down and stop. The report, posted on Lookout’s blog, was conducted by Kevin Mahaffey and Marc Rogers, both security researchers based in San Francisco.
Once gaining access, the team was able to work through the entertainment system and connect to the Model S’s main control, allowing them to stop the vehicle.
Mr. Mahaffey noted in his post that Tesla did include several security measures that made the process difficult, and in many ways, the company is doing more to focus on cybersecurity for what has essentially become “rolling computers.” For example, the car would not come to an immediate stop unless it was traveling at 5 m.p.h. or less. If it were traveling faster, it would slow down gradually before stopping.
“Our research confirmed that Tesla indeed made a number of excellent security decisions in the design of Tesla Model S. It also, however, has a number of areas where we believe Tesla can improve,” he writes in the Lookout blog. “Overall, I feel more secure driving in a Tesla Model S than any other connected car on the road.”
The team contacted Tesla following the study, and “had a very positive interaction with the Tesla team.” One of the ways to fix automobile security, the researchers say, is to work together.
Their report also suggests that manufacturers secure components individually. While Mahaffey and Rogers needed physical access to the vehicle, they tell the Wall Street Journal that there’s only so much time before malicious (“black hat”) hackers realize how to access the car remotely.
“We assume that bad guys are going to be able to figure out remote access,” Mahaffey told the Journal.
Though Fiat Chrysler responded to its vehicle’s vulnerability with a 1.4 million vehicle recall – which essentially became a 1.4 million USB stick distribution – Tesla released a patch to fix the issue on Thursday.
This is the difference between Tesla and Chrysler, and something that more car manufacturers are looking to tackle: by treating constantly connected vehicles the same way companies treat computers and software issues, danger can be avoided and the company can save money. After all, recalls are expensive.
Automobile manufacturing is often not met with the same security concerns as personal computers or information. But if a malicious hacker gains control of a vehicle traveling on a crowded highway or pedestrian-clad street, more than just personal information could be at risk.
But vehicle companies are just starting to get involved with cybersecurity, though many flaws still remain. Many manufacturers only respond to dramatic stunts, while so many other vulnerabilities go unchecked and unfixed. The low priority given to security means that more vehicles could be compromised in the future.
The goal then, says Mahaffey, is to design vehicles for the future as if they are closer to the rest of 21st century technology, rather than closer to the Model T.
"The auto industry must now consider cybersecurity as an integral part to how cars are built, just as physical safety became a critical part of how cars were built in the late 20th century," Mahaffey writes.