Modern automobiles form a symbiotic relationship with their onboard computers, so much so that to hack the computer is to hack the vehicle and to hack the car is to hack the computer. Just last month ago, a couple of security researchers remotely broke into the controls of a 2015 Jeep Grand Cherokee and seized control. Later, Andy Davis from the security firm NCC disabled a vehicle’s brakes using digital audio broadcasting (DAB), now, whitehat hackers Kevin Mahaffey and Marc Rogers subverted the Tesla Model S’ authentication and broke into its onboard systems.
The pair presented their findings at the annual Defcon in Las Vegas, an annual gathering where hackers and security experts present their findings. Unlike the jeep and brake hacks, Rogers and Mahaffey needed to physically tamper with the Tesla in order to gain access. Roger explains that Tesla vehicles contain a hidden maintenance cable meant to be used be Tesla technicians to access the car's computer and diagnose or resolve problems. The cable is typically nestled within a secret panel, either to the left of the driver or beneath the touchscreen. Once the panel is removed, anyone can technically plug into the cable.
“It doesn't immediately give you access to anything,” Rogers continued. “You have to do a few special things,” such as exploiting bugs within the software. After eventually finding a few loopholes, the pair was able to access the car's network and figured out how the whole thing worked, they successfully authenticated their laptop in place of the car, convincing Tesla HQ to hand over data because their PC was the car. The pair found six vulnerabilities in all.
“We spoke to Tesla as the car, and essentially requested permission for more information,” Rogers tells NPR. After sorting through it, they obtained access to the car and took over the rest of its computers. Next, as documented in a recording, Mahaffey slowly drives the car around a parking lot before Rogers sends a command through his iPhone and shuts down the car.
Immediately after declaring the findings were presented, Tesla reacted by issuing an update to nullify the exploits. For this, the company deserves particular commendation, as the decision to incorporate “over the air” updates has enabled it to apply patches at any given time ─ something very few vehicle manufacturers are able to do. In fact, Tesla also works very closely with the security community to stay up-to-date on the latest threats and vulnerabilities.
Speaking with the BBC, Telsa explained that because its system was designed to bear non-security-related failures in a delicate manner, the vehicle would actually slow down gradually if its engine was somehow disabled, rather than come to a complete stop. The company's next step is to create a strict separation between the systems that run the car and its entertainment system to avoid suffering the same fate as Jeep, who has since recalled over 1.5 million vehicles.
Advertisement
Learn more about Electronic Products Magazine
