Hackers Able To Control Tesla S Systems From Twelve Miles Away

from the welcome-to-the-new-normal dept

Over the last few years, we've well documented the abysmal security in the internet of things space. And while refrigerators that leak your Gmail credentials are certainly problematic, the rise in exploitable vehicle network security is exponentially more worrying. Reports emerge almost monthly detailing how easy it is for hackers to bypass vehicle security, allowing them to at best fiddle with in-car systems like air conditioning, and at worst take total control of a compromised vehicle. It's particularly problematic given these exploits may take years to identify and patch.

Enter Tesla, which, while indisputably more flexible in terms of technology, finds itself no less vulnerable to being embarrassed. Reports this week emerged that Chinese white hat hackers discovered a vulnerability in the Tesla S series that allowed an intruder to interfere with the car’s brakes, door locks, dashboard computer screen and other electronically controlled systems in the vehicle. In a video, the hackers demonstrated how they were able to target the vehicle's controller area network, or CAN bus, from up to twelve miles away:
Fortunately in this instance, the attack required a fairly strict set of circumstances, including fooling the car's owner into first connecting the vehicle to a malicious hotspot -- while the car's internet browser was in use. Also, unlike some vulnerabilities, which have taken traditional automakers up to five years to patch in the past, the researchers said in a blog post that Tesla was quick to update the car's firmware and fix the vulnerability:
"Keen Security Lab appreciates the proactive attitude and efforts of Tesla Security Team, leading by Chris Evans, on responding our vulnerability report and taking actions to fix the issues efficiently. Keen Security Lab is coordinating with Tesla on issue fixing to ensure the driving safety of Tesla users."
That said, this isn't the first time that hackers have highlighted vulnerabilities in Tesla vehicles. A group of hackers earlier this year demonstrated how they were able to use about $100,000 in radio equipment to fool the Tesla S model's autopilot feature into perceiving obstacles that technically didn't exist, or obscuring obstacles the car would normally avoid:
"A group of researchers at the University of South Carolina, China’s Zhejiang University and the Chinese security firm Qihoo 360 says it’s done just that. In a series of tests they plan to detail in a talk later this week at the Defcon hacker conference, they found that they could use off-the-shelf radio-, sound- and light-emitting tools to deceive Tesla’s autopilot sensors, in some cases causing the car’s computers to perceive an object where none existed, and in others to miss a real object in the Tesla’s path."
Comforting! Obviously these are just the vulnerabilities we know of, and there's likely a very hot zero day market for car vulnerabilities, with state actors willing to pay top dollar for exploits allowing the staging of "accidents" local yokel investigators aren't likely to ferret out as malicious. Alongside the even worse security in many "smart" (read: wholly idiotic) internet of things appliances, we've been happily introducing tens of thousands of new network attack vectors annually. As we rush unpatched toward the driverless future of tomorrow, what could possibly go wrong?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: connected cars, hackability, iot
Companies: tesla


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 22 Sep 2016 @ 3:24am

    And this is another reason of why we need strong encryption and protection for our devices.

    For those of us who value our privacy, there is no need of it.

    But for those who would give away their privacy in exchange of a shred of security, to make that clear that not only they won't get that extra bit of security.

    But that they will be way less secure than without encrypted and protected systems.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2016 @ 3:35am

      Re:

      This is why you do not connect systems that are safety critical to the Internet. A cars entertainment system should not be connected to its control system.

      reply to this | link to this | view in chronology ]

      • identicon
        Cephei, 22 Sep 2016 @ 4:06am

        Re: Re:

        A cars entertainment system should not be connected to its control system.

        Lest its control system be turned into someone else's entertainment system.

        reply to this | link to this | view in chronology ]

      • icon
        nasch (profile), 22 Sep 2016 @ 11:25am

        Re: Re:

        I'm guessing this type of vulnerability exists in Teslas because the company designed the systems to be remotely updateable, including control systems. Which I would say is another word for remotely exploitable (not necessarily easily, but still).

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 Sep 2016 @ 1:40pm

          Re: Re: Re:

          It is the cheapest and most convenient way of distributing updates for Tesla, though it is sold as a customer convenience, and ignores its vulnerability to hacks, or law enforcement with warrants and gag orders.

          reply to this | link to this | view in chronology ]

  • identicon
    Michael, 22 Sep 2016 @ 5:09am

    Wait, someone discovered a vulnerability in the security of an automobile and didn't get sued for it?

    It's almost like Tesla understands that they were just helped.

    reply to this | link to this | view in chronology ]

  • identicon
    Anon, 22 Sep 2016 @ 5:21am

    Breaking the autopilot.

    I'm not sure i feel like a 100k set of equipment is all that much of a risk. Plenty of cheaper ways to hurt a person and most cars' navigation systems these days (the driver) can be blinded with a $10 laser pointer or flash light.

    reply to this | link to this | view in chronology ]

  • identicon
    scatman, 22 Sep 2016 @ 5:21am

    surprised?

    Cars and software are both man made
    Man is not perfect
    there's always a loop hole if man is involved
    repeat

    reply to this | link to this | view in chronology ]

  • icon
    TRX (profile), 22 Sep 2016 @ 5:43am

    If Tesla was smart they'd write a fat check to the hackers, then offer a bug bounty for future hacks.

    If they were smarter, they'd disable internet access to their cars... but that would be an inconvenience, and convenience trumps security Every Freaking Time.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2016 @ 6:58am

      Re:

      EVERY FUCKING TIME!

      source: Work in IT. Security is only a problem if you get fucking hacked, or you can show and article of someone else being hacked in that way. If someone else is NOT hacked in that exact way then it is non-sequitur.

      Idea's like JEA or Security Risk Mitigation are just fucking lost on management. Entire teams would bitch about losing access to a system they never touch except during build/decom processes and that is just fucking SOP.

      No one accepts the idea that they should just not fucking have access until they NEED IT!

      reply to this | link to this | view in chronology ]

    • icon
      Jeremy Lyman (profile), 23 Sep 2016 @ 7:33am

      Re:

      Tesla increased the max payout of their bug bounty program to $10,000 last year for certain types of submissions: https://bugcrowd.com/tesla

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Sep 2016 @ 5:53am

    The computer is your friend,

    trust the computer...


    And sure. Sure, you'll get those 4 years back, Logan...
    And yeah, I'll get right on that, Dave.

    reply to this | link to this | view in chronology ]

  • icon
    Jeremy Lyman (profile), 22 Sep 2016 @ 6:13am

    Hey there Elmer!

    So, a browser exploit was immediately patched? Because all the cars are Internet connected? This is exactly how it's supposed to work. That's the benefit to having devices connected; which you constantly poop FUD on. Programs will have bugs, computers will have exploits. That shouldn't keep us from using them and fixing them when necessary.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2016 @ 6:24am

      Re: Hey there Elmer!

      That's all fine and dandy until the hacker replaces Tesla's servers with their own.

      Or the government serves a warrant to wiretap the on-board mics. Internet-connected cars face the same problems of other cloud services.

      reply to this | link to this | view in chronology ]

      • icon
        Jeremy Lyman (profile), 22 Sep 2016 @ 6:38am

        Re: Re: Hey there Elmer!

        Fear. Uncertainty. Doubt.

        Companies and developers should be cautious and thorough with features, but if you don't think there's any way to ever implement them, let me show you to the horse and buggy store.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 Sep 2016 @ 6:52am

          Re: Re: Re: Hey there Elmer!

          "Companies and developers should be cautious and thorough with features"

          Should be, but they will not. Profits are the highest priority (only priority for some) while the should have things are shelved based upon how much the corp might be sued for.

          People do not need their motor vehicles connected to the internet. Some people would prefer to not have this "feature" and do not like being forced to pay for it. This does not make them horse 'n buggy people.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2016 @ 7:41am

      Re: Hey there Elmer!

      So let me get this straight. The FDA gets to regulate food and drugs and restrict my freedoms often in ways that can be very detrimental to me and often with the intent of protecting pharmaceutical profits (ie: by not allowing me to freely experiment with various treatments, it's my health, if I have a health problem it should be my choice to decide what treatments I wish to try and in what dosages without them getting in the way) yet it's perfectly OK for companies to sell cars that may have life threatening bugs without the required oversight to properly discourage the sale of cars with such bugs and to penalize them when bugs do show up and cause injury?

      Our priorities are backwards. The only consistent theme that the government seems to be focused on is protecting corporate profits.

      reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 22 Sep 2016 @ 9:15am

      Re: Hey there Elmer!

      Oh yay, the call of the FUD. Except innovating stupid isn't innovation. When some researchers who just happen to have an interest and funding, doing the vendor a favor, and the vendor actually responds with a fix, it's mostly cool. But the real patch is: Don't make critical systems with such a wide attack surface in the first place. It's stupid and unnecessary. It is merely trendy. The sad thing is, if IoT morons would simply make things functional without being sloppy and adding their thousands of holes so they can harvest data off you, a lot of this wouldn't happen, but most "innovations" are not really useful in the first place. The really sad this is, people doing things like auto manufacturers have a huge pool of people and information to draw on who have already successfully executed things like, oh, fly by wire and other critical systems for 20-30 years, depending on what you consider relatable to contemporary automobiles.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2016 @ 11:12am

      Re: Hey there Elmer!

      So, a browser exploit was immediately patched? ... This is exactly how it's supposed to work.
      Except for the part where the web browser had control over the brakes. That's not some minor detail, it's indicative of a serious design flaw.

      The lack of information regarding the patch is worrying. Did Tesla just fix a browser bug, as browser vendors do every few weeks? Or did they actually make sure the web browser is isolated such that no bug like this could ever happen again?

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 22 Sep 2016 @ 7:09am

    they were able to use about $100,000 in radio equipment to fool the Tesla S

    Pocket change!

    Vulnerabilities will happen. The question is how fast the companies fix them. The answer is usually sluggishly slow or never and this is the worst problem.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Sep 2016 @ 4:07am

      Re:

      Or rather, what can be done with those vulnerabilities.

      Answering also to Jeremy Lyman: the difference between a browser exploit in a computer and the same thing happening in a car is that the car can be turned into a weapon instantly.

      You don't need AKs or tons of bombs to kill 150 people: you just need a vulnerability in place, the proper stuff to exploit it and a highway full of cars at 120 Km/h (75 mph).

      Moreover if you grab the proper car, namely a gas truck or something full of chemicals and other shit, and make an accident happen.


      Browser vulnerabilities fuck up your stuff: car vulnerabilities can kill you.

      I'd rather want the companies be EXTREMELY careful with what they do, and without backdoors that can be exploited.

      reply to this | link to this | view in chronology ]

  • icon
    PT (profile), 22 Sep 2016 @ 8:39am

    A-B Test Required

    "...they could use off-the-shelf radio-, sound- and light-emitting tools to deceive Tesla’s autopilot sensors, in some cases causing the car’s computers to perceive an object where none existed, and in others to miss a real object in the Tesla’s path."

    And this would not be a problem for a human driver? Nobody ever has an accident or runs a red light because the sun on the horizon blinds them? Humans don't jump when a truck blasts off its air horn behind them?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2016 @ 11:27am

      Re: A-B Test Required

      "...they could use off-the-shelf radio-, sound- and light-emitting tools to deceive Tesla’s autopilot sensors...

      And this would not be a problem for a human driver?
      Much of it wouldn't be. For example, humans can't perceive radio waves, infrared/ultraviolet light, or sounds above 20 kHz. Someone with a giant flashing strobe light aimed out their windshield would be noticed quickly. But if you had an infrared light that caused the car in front of you to pull to the side of the road, it would probably be dismissed as a glitch. Or it might be difficult to prove anything at least.

      What if you could cause a crash by transmitting a radio wave or invisible light beam from a distant balcony? Nobody would suspect anything the first one or two times.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Sep 2016 @ 9:14pm

    Where the rubber meets the road

    Keeping a person safe inside a dangerous vehicle is one thing; Keeping the driver isolated from the internet is quite another. Sometimes I see a car moving and the driver reading their phone.

    Nowadays, at least in theory, a white hat hacker could take the wheel.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.