Breaking Tesla: Automotive Security And What Should We Do About It

Tesla_hacked_by_tencent_for_research

Tencent researchers hacked Tesla Model S car for research purposes and then kindly let Tesla know about it.

Are Tesla cars safe?

Safe in what aspect you may ask.

Well, a Chinese security team tried to test a Tesla car systems in order to find out how easy hackers would find to hack it.

And their findings aren’t anything near to comforting.

Let’ explain that a little bit.

A security team from China hacked into a test Tesla car to the extent that they could autopilot the car from a distance of about twenty kilometers.

Twenty Kilometres?

No matter how you convert that number, it is scary to think that a hacker could control your car from such a long distance.

Keen Security Lab posted a blog post on the issue and said that the Chinese team remotely controlled the Tesla car’s brakes as well.

Along with that the research team could control,

  • The installed dashboard computer
  • Side mirrors
  • All the car’s door locks

The Chinese research team used a Tesla Model S car for their experiment.

And they controlled the car both in parking as well as driving mode.

The hackers (or researchers) pointed out that people would do well to note that they used an unmodified Tesla car.

This unmodified Tesla car came with the latest firmware.

Using this the researchers demonstrated the cyber attack.

The hackers also said that they had verified the remote attack vector on several varieties of the much hyped up Tesla Model S car.

Furthermore, the hackers said, they could see not reason as to why they couldn’t do the same to other Tesla car models as well.

The Chinese hacking research team posted a video on Youtube as well.

In the video, hackers showed the remote operation of the Tesla Model S car.

And they used a carpark for their experiment.

You can clearly see in the video that researchers are controlling the Tesla Model S car at low speeds for safety reasons.

What Does Tesla have To Say About This?

According to Tesla, the hackers didn’t hack a standard Tesla Model S car.

The company said that researchers/hackers gained access to its Tesla Model S car with the help of malicious Wifi hotspots.

And then they used a web browser for further control.

Tesla_controlled_remotely

Hackers don’t have to come close to your modern car in order to hack it.

How Did Researchers hack Tesla Model S Car?

To really understand how they did it we have to look at the various code signing practices.

Mostly how code signings can stymy car hackers.

After that, we need to consider the step-by-step and blow-by-blow Tencent researchers/hackers’ attack as well.

The hackers broke down their experiment for WIRED and communicated via a series of email messages.

According to hackers, they first tried to dig up a vulnerability in Tesla’s Model S web browser.

The Tesla Model S car comes with a web browser that is based on an open source browser framework.

This framework goes by the name of WebKit.

Hackers knew that they had found a bug.

This bug allowed the hackers to initiate running a nasty malicious code from the browser.

As mentioned before, this particular web browser comes pre-installed in almost all Tesla cars.

The hackers then had the web browser visit a carefully built online website.

These Chinese researchers also tried to demonstrate how a Tesla Model S car drive could have a lapse in judgment and visit a sabotaged website.

Hackers And Their Tesla-Hacking Network

First, the hackers created a Wifi Hotspot of their own.

They named the Wifi Hotspot as Tesla Guest

For those who don’t know this is a pretty common name for Tesla Wifi Network which is found on most Tesla dealerships.

Then hackers moved forward and enabled exclusive access with the network’s shared password.

As you already know, most of the WiFi shared passwords are common in nature.

And are sometimes easy to guess too.

The shared password this time worked with the dealership guest networks as well.

Hackers found that information on the web.

After that, they configured the newly created Wifi Hotspot network.

And they did it in a way so that any Tesla car’s WiFi feature would auto-connect to their network.

As soon as the car connects to the open network, it would load and then render the pre-made malicious page.

Samuel LV, who is the director of the KeenLab security team at Tencent, wrote that whenever the car drive turned on the web browser, the systems in place would direct the car’s internet traffic to the hacker’s payload page.

After that, PWN.

If you’re still wondering what does PWN mean then don’t.

It merely means “hack”.

Sometimes people translate it to “take control of.”

So That’s It? Tencent Can Hack Tesla?

Tesla_patches_its_car_buts

Tesla immediately went to work and patched the whole thing up quickly.

Not really.

Both companies have a different point of view on whether Tesla cars are this vulnerable.

Tesla believes that the Tencent researcher’s trick wouldn’t work on a car whose driver does not interact with the supposed hackers.

Tesla also claims that the car’s driver or the user would actually have to connect to the placed malicious WiFi hotspot manually.

After that, the car’s driver or the user will have to navigate to the hacker’s infected website.

Only then this trick will work.

Hackers working for Keenlab, a Tencent initiative, have even argued about the security issue and Tesla’s points with Elon Musk, the founder of Tesla, on the popular social media website Twitter.

Tencent Hackers Second Attack

Tencent hackers tried to up the ante by exposing another vulnerability in Tesla Model S car.

More specifically though, they tried to take advantage of a vulnerability that is found in Tesla Model S car’s Linux operating system.

This allowed the hackers to gain full privileges reading the Tesla car’s head unit.

What is the car’s head unit again?

It is the computer that is located in all Tesla cars’ dashboard.

So what happened next?

Sadly, this time around, these hackers could not send any meaningful commands to critical functions related to driving the car such as brakes and steering wheel.

Why?

Because Tesla Model S engineers are clever people.

They have designed the car in such as way that the car’s head unit is completely separated from its CAN bus.

Tesla has separated them with the help of a computer.

Tesla calls this computer a gateway.

This gateway only allows very specific commands to execute which are sent from the Tesla car’s infotainment system.

The infotainment can send commands to the car’s driving components.

And hackers needed this communication channel to have a successful second experiment.

How Did The Hackers Overcome The Problem?

Hackers tried to bypass the safeguard by simply overwriting the Tesla car’s gateway firmware.

They replaced the default firmware with their own.

And that took code signing out of the equation.

After that, nothing could prevent hackers from taking advantage of their tactic.

Intruding a car’s system is never easy.

It is especially difficult when you are talking about a car as multifaceted as Teslas.

And it required the hackers to dig up not just a single vulnerability.

In other words, hackers had to expose multiple and often a series of vulnerabilities in the form of bugs in order to create a tunnel through the car’s, or the target’s, defense network.

The hackers, who worked in a lab for a Chinese firm called Tencent also revealed that they could excavate though the Tesla Model S car’s Wifi connection.

And they could do so to the extent that they could make their way to the car’s driving systems.

And of course, this action allows these hackers to remotely activate the car’s brakes even when it is in motion.

Moreover, these hackers also exposed a quite serious chain of security problems within the Tesla Model S car.

Is There A Fix? What’s The Fix?

Tesla_and_its_code_signing_feature

Automotive car vulnerabilities can be dangerous for car drivers.

How should Tesla have responded to Tencent experiments?

Well, we think, Tesla could have just reacted professionally.

And fix at least one of the many found bugs in order to prevent the hackers’ attack.

But Tesla didn’t do that.

It did something else.

More like, it implements a much more fundamental security feature.

This feature, Tesla believes, would make the car more unhackable.

In other words, hackers would have to work much harder in order to hack Tesla vehicles now.

And some believe the new feature will make it hard for even the most sophisticated hackers to compromise Tesla car systems.

Tesla also added a new measure which required any and all new firmware code written directly to the components that are located on the CAN Bus.

This CAN Bus, is basically the internet network of smart computers which control all the car’s functions such as brakes and steering wheel and even windshield wipers.

The new measure means that any new firm firmware must come with the proper digital signatures.

And they need to have the digital signatures from a cryptographic key.

Moreover, Tesla is the only entity that would possess this cryptographic key.

This new mode of protection is also known as code signing.

Tesla pushed out the update wirelessly to all Tesla Model S cars via a software update.

Tesla released the software update earlier this month.

Moreover, the company also released the update for its Tesla X SUVs.

The new update means that Tesla cars now have systems in place which have far tighter control over the car’s functions.

Now, hackers can’t just reprogram sensitive car components.

What Does The New Tesla Update Do?

Basically, it upgrades the Tesla car.

More specifically, it updates the car’s internal security systems.

Now all Tesla cars are less like a Windows PC which is prone to new malware.

Tesla cars, now, are more like an iPhone which is locked down and hence more difficult for hackers to crack.

The chief technical officer at Tesla, JB Straubel, told reporters that Tesla had planned to come up with cryptographic validation of firmware updates for a while.

And such security measures would make things in Tesla cars even more robust than before.

Straubel also noted that Tesla had long started to work on the code-signing feature.

In fact, it had started the actual work months before the Tencent experiment.

He said that Tesla had now accelerated the feature rollout because of the Tencent hackers’ report.

Readers should know that the Tesla security team quickly pushed the required fix to all Tesla X and S vehicles.

And they did within a span of ten days.

Straubel also said that the auto industry should consider Tesla’s new feature as a standard for the future.

He said this feature hardened the car’s internal networks against skilled hackers.

Even though hackers easily found an early foothold in Tesla’s security systems in the form of a software bug, Straubel believes those time have long passed.

He also said that the world needed this in order t o move forward.

Straubel ended his remark by saying that if car manufacturers aren’t quick enough then every time someone found a new vulnerability the auto-industry vehicle security door would be thrown into disarray.

Is The iPhone More Secure Than You Smart Car? Some Say Yes.

The fact is, code signing is not a new feature.

Smartphones along with desktop computers have had this feature for some years now.

Code signing is the feature that stops users from installing nasty apps on their smartphones, especially the iPhone.

As most of our readers would know, one can’t simply download any app on an iPhone.

If the app doesn’t come from Apple App Store, the iPhone will not accept it.

Code signing is also the feature that triggers also those warning notifications regarding untrusted applications that users see on MacOS and Windows.

If you try to install a software application from an untrusted source, your operating system will warn you about it.

This is what we call code signing.

Vehicles didn’t have much electronic system on board before.

But modern cars are more digital than ever.

They are now Internet-connected and automated.

And they use features such as code signing that comes in the form of a cryptographic trust feature as far as Tesla cars are concerned.

But most major automotive manufacturers still don’t have this feature.

We don’t know the reason why this is so but it is strange, to say the least.

So which automotive manufacturers have this code signing feature?

Well, nobody has a definitive answer for this.

Since it is difficult to track which automotive vendors do and which don’t.

Automotive companies aren’t exactly known for transparency either.

Back in 2010, the researchers hacked Chevy Impala via OnStar and found out that it didn’t have the code signing feature.

The same happened in 2014, when hackers hijacked a Jeep Cherokee while on a highway.

Hackers did that as a demonstration for the WIRED magazine.

No one can say that if Chrysler had used code signing, then hackers would not have been able to hack the Jeep.

Automotive engineers can protect their products, vehicles, with all the latest features and hackers can still compromise the product’s CAN network.

This is what Charlie Miller believes.

As we all know, Miller is one of the two hackers who carried out the previous vehicle attack.

Miller also said that even though hackers could hack a car with code signing feature, it would take a lot of resources and skill and that might put off hackers from a car with the code signing feature.

Even with that, some of the biggest car manufacturers in the world have resisted all recommendations that tell them to implement the code signing feature as soon as possible.

That is according to Josh Corman who is the founder of I Am the Cavalry which is an Internet of Things security nonprofit organization.

What’s The Reasons Why Automotive Vendors Don’t Want To Protect Their Cars?

The reason is simple.

It is difficult.

Especially given the fact that most companies have a disparate supply chain system.

Not to mention they also have to deal with incompetent,

  • Dealers
  • Mechanics
  • Aftermarket tools

All of these entities would get affected in a huge way if, for example, the Detroit giant started to require cryptographic validation for all software packages and modifications that the Apple iPhone requires.

Corman says that Tesla has done well to secure its cars.

He says that the company’s span of control over all of its vehicle parts and the supplier as well along with dealers ensure that Tesla has a better security response than many other automotive manufacturers.

Corman also said that Tesla’s alertness is what it gives it an objective edge over the rest of the car manufacturers.

 

Hacking Will Become A Big Problem For Modern Cars. Is There A Big Solution To This Big Problem?

As mentioned before, as soon as Tencent Keenlab researchers team revealed its hacking techniques to the media and to Tesla, Tesla went to work early and quickly rolled out patches for its cars.

Those patches fixed the car’s web browser vulnerability.

Tesla also fixed the Linux kernel flaw.

CTO Straubel says that Tesla did more than just that.

Mainly that the company actually rushed to fix the most serious and dangerous problem that Tencent hackers had exposed:

The bug that allowed any hackers who had the skills to go deep enough into Tesla’s internet systems to change and overwrite the car’s driving components firmware.

Straubel said that the web browser vulnerability should not be considered as the main issue.

He also told parents that the company felt the most relevant response included the one where Tesla fixed the firmware problem because it presented the only real risk to their cars.

Straubel also credited Keenlab researchers for their work and basically kick-starting Tesla’s efforts to work harder and push out the code signing feature as soon as possible.

He also revealed that Tesla will likely pay KeenLab research team a handsome sum of money for its fantastic work.

This reward is basically a part of Tesla’s bug bounty program.

Tesla’s CTO, Straubel ended his comment by saying that Tencent hacks helped the company find something that the company needs to fix as soon as possible.

And that’s why the company decided to reward them.

We don’t know about Chrysler, but all automotive manufacturers should pay proper attention to Tencent and Tesla activities.

This is the only way to learn the hard lesson that all modern cars should have the code signing feature.

If there is anything that those Chinese Tencent hackers have proved, it is that all modern cars need the code signing feature.

 

One Response

  1. George January 16, 2017

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.