Tesla Model S infotainment system also serves as the command center to the vehicle.
Last week, Marc Rogers, of content delivery network CloudFlare, and Lookout Mobile Security co-founder Kevin Mahaffey completed a digital break-in of a Tesla. But here’s the good news behind the Tesla Model S hack. Tesla quickly released an over-the-air firmware update, to every Model S ever manufactured, that would resolve the security holes uncovered by Rogers and Mahaffey.
The Tesla Hack
Rogers and Mahaffey had to dismantle the dashboard to gain access to an ethernet port. From there, they were able to connect directly to the CAN bus, the controller area network across which car data is sent and received.
After that, they chained together four separate vulnerabilities, first to gain access to the infotainment systems and then the touchscreen used to control vehicle functions. That let them make the speedometer disappear, alter the suspension, unlock the doors and the trunk, and make the windows go up and down. They were also able to shut down the car’s electric motor below 5 mph.
Above that speed, the dashboard screens would go blank but the car would shift into neutral, giving the driver time to find a safe place to bring the car to a stop. “Ironically, that means it’s the only car that can protect itself against a successful cyber attack,” Rogers noted.
Tesla’s Response
“Tesla has taken a number of different measures to address the effects of all six vulnerabilities reported by Lookout. And, we continue to develop further ways to harden our systems, informed by ongoing discussions with the security research community, as well as our own internal analysis. The update has been made available to all Model S customers through an OTA update. We will deploy this update to all vehicles by Thursday,” a spokesperson said in a statement e-mailed to Forbes.
Other auto manufacturers are following in Tesla’s footsteps by making internet updates available for their upcoming line of vehicles, but are starting years behind Tesla.
Rogers and Mahaffey say they also found two potential browser vulnerabilities that they exposed but did not exploit. Those flaws, resident in the WebKit browser engine, could possibly have enabled remote attacks, but Tesla’s new firmware update has resolved those issues as well.
Tesla CTO Toasts Hackers
While Rogers and Mahaffey were explaining their hacks at Def Con 23 last Friday, Tesla CTO J. B. Straubel made a surprise appearance to offer them a toast and personally thank them for their work. J.B. presented the duo with “Challenge Coins,” which will Tesla will be giving to any researcher who finds a serious security hole in their vehicles.
Proud to earn challenge coins, which are given to @TeslaMotors‘s best bounty hunters. pic.twitter.com/1YfRrsOypw
— Lookout (@Lookout) August 7, 2015
