Chinese researchers have managed to control the brakes, lights and mirrors within a Tesla Model S from afar, while the cars are moving and up to 20km (12 miles) away. The researchers also claim that their efforts will work on multiple Tesla models – they have withheld details of the world first zero day attacks and privately disclosed the flaws to Tesla.
The firm worked on the attack for several months, eventually gaining access to the motor that moves the driver's seat, turning on indicators, opening the car’s sunroof and activating window wipers.
In response to this news Brian Spector, CEO at MIRACL, commented: “These hacks demonstrate the serious problems around identity verification in today’s connected cars. Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today. Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.
“For connected cars to become more secure, relationships must be established within each and every component within a vehicle, to ensure that only a legitimate operator can control the connected devices within a car. Given the huge number of components in connected cars, hackers usually find a pathway by following a ‘weakest link’ scenario which attacks the easiest point of entry to the vehicle. This problem is compounded by the array of parts that comprise a vehicle, and the lack of a security protocol that ensures they will all work together safely and securely.
“The current security checks often fail because they rely on slow, centralised identity verification services. To connect the components more quickly and autonomously, manufacturers should deploy a distributed trust model which allows for fast pre-authorisation, and removes the roadblock of a centralised service.
“All of this requires a serious system upgrade and a greater drive for security awareness among manufacturers as well as consumers who use connected cars.”
Cesare Garlati, chief security strategist, prpl Foundation, added: “Perhaps it goes without saying that the most dangerous part of the connected car is the “connected” part. Criminals, using a little lateral thinking, can use one part of the car’s anatomy to get to another. This could have dangerous consequences if hackers found their way into more critical functions, such as the brakes as researchers were able to do with the Tesla recently. The lack of subject matter expertise with mechanical and electrical engineers is leaving systems wide open to attack. While it’s unfair to expect them to shoulder this burden, it is also unfair to place the onus squarely on the consumer who is likely to know even less about security. This is something which vendors, regulators and manufacturers must carefully consider as the evolution of connected cars continues.
"The prpl Foundation advocates three focus areas to make IoT more secure: using open source, forging a root of trust in hardware and security by separation. Interoperable open standards are the key requirement if we’re to improve IoT security– they will reduce that complexity by effectively outsourcing the trickiest work to the subject matter experts.”
Craig Young, Security Researcher at Tripwire added: “At first glance, it would appear that the details provided by the researchers conflicts somewhat with the information released by Tesla. While the researchers indicated that they could compromise a car from 20km, Tesla has reported that the car must be connected to a malicious Wi-Fi and the standard range for this is at most 300m. This could indicate that the attackers found a way to gain persistence on the car after it has disconnected, but then the 20km range seems oddly short. Instead I suspect that the attack may have actually been possible by another user on the same cell tower or with a cell site stimulator. In this case, I hope that the researchers do release further details to help understand the automotive attack surface better.
"The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car. Ideally these systems should be completely isolated from one another.”
Mark James, Security Specialist at ESET concluded: “Tesla will continue to invest and work very hard in making their cars as secure as possible. When it comes to software there is always the possibility of it being compromised, no matter how good you think your code is. The key differentiator here is how quickly you listen, change and modify any confirmed flaws found through bug bounty type programs, get them rectified and then push these out to all affected. More and more cars are going to be connected, unlike your desktop machine if it becomes compromised it’s not just money that could go missing, these types of security incidents could in the worst case scenario cause harm or even loss of life.
“Unfortunately, cyber security with regards to autonomous cars is a very real threat and one that should be treated with the utmost respect. Interconnected cars will be as common as getting your latest social networking fix wherever you are on the move these days but it comes with a real danger. The potential is huge if something goes wrong at speed and even the simplest of things could cause the driver to become distracted and be the cause of a road traffic accident. When we drive we expect to be in total control of our own vehicle, mirrors or windows moving, braking or even sudden sounds internally could all be the cause of taking our eyes off the road for the shortest of times and that could prove fatal.
"The problem is that delivering secure software is a constantly changing factor, what is considered secure today may not be secure tomorrow. The ability to modify and push our updates is very important, making sure the user is well aware of any updates and making it easy for them to be applied needs to be top of the list when it comes to protecting the users of these types of vehicles.
"The biggest single thing that you as a drivers can do to improve security is making sure you have applied all patches relating to security that are available for your vehicle. Even if you think it’s unrelated or does not affect you it may be an avenue for attack. Keeping your car up to date is even more important than keeping your desktop computer updated, making sure you keep your details up to date to enable the manufacturer or supplier to contact you if any urgent modifications need to be done that cannot be pushed over-the-air.”