After Tesla’s Twitter account got hacked in April, they have become more serious about security for its website. Tesla is using Bugcrowd, a place where “white hat” hackers congregate, to solicit assistance in identifying security risks on the company website. Cash rewards from $25 to $1,000 are offered.
The official announcement at Bugsource reads as follows:
“Tesla values the work done by security researchers in improving the security of our products and service offerings. We are committed to working with this community to verify, reproduce, and respond to legitimate reported vulnerabilities. We encourage the community to participate in our responsible reporting process.”
Rather than posting at Bugsource, Tesla asks people to e-mail it directly to vulnerability@teslamotors.com.
For its part, Bugsource has created a Hall of Fame for those who respond to the Tesla offer. It says 22 submissions have been made so far. You can see what awards have been made once you sign up to become a Bugsource member.
The rather large elephant in the room, however, is not security for the company website. It is security for the cars the company makes, every one of which leaves the factory with internet connectivity built in. The individuals who hacked the Tesla Twitter account were mere pranksters, but people with actual malicious intent could create havoc if they are able to hack into the cars themselves.
At a time when self-driving features are being touted by many car makers, especially Tesla with its highly advanced suite of AutoPilot features, the need to guarantee the security of onboard computers and software is critical. As cars add more “drive by wire” systems that control steering and braking, the possibility of serious physical harm increases exponentially.
Just the other day, a massive intrusion into US government computer records has been reported. Government officials tell the Associated Press the hack occurred at the Office of Personnel Management and the Interior Department. It involves information about security clearances and could potentially affect four million people at every federal agency.
Two months ago, a rogue airline pilot took it upon himself to drive a passenger jet into the ground in the French Alps. Security experts told reporters that it is possible to take control of an aircraft remotely in such situations, but they are loathe to create the systems needed to do so for fear they could be hacked by people with malicious intent.
Tesla has been more pro-active than many automakers with regard to security for its onboard software. Most, especially General Motors, claim that their software is protected by the Digital Millenium Copyright Act and threaten anyone who attempts alterations to the code with arrest and prosecution.
Ted Harrington, executive partner at Independent Security Evaluators, believes manufacturers should be taking more measures to protect people’s lives, according to Forbes. “When it comes to security research, the stakes are the highest when human lives are involved. Securing the connected car is about more than just protecting data; it is about protecting lives. In that vein, auto manufacturers should be going to extreme lengths to harden their systems against the most sophisticated adversaries.
“In order to fully understand and mitigate risk, a system must go through ongoing, thorough, manual white box security assessment. With lives at stake, auto manufacturers in the era of the connected car should consider robust security assessment a business-critical mandate.”
Tesla did offer $10,000 last year to anyone who could hack a Model S. Reportedly, the prize was awarded to Chinese group Qihoo 360. Perhaps Tesla is deeply involved in insuring the digital security of its cars and simply chooses not to talk about the subject publicly. At least we hope so.
