Every year, security researchers, high-tech companies and hackers of all different types of backgrounds good and bad get together in Las vegas for the annual Def Con cyber security conference in Las Vegas.
In addition to discussing ways to make the Internet a safer, more secure place and exchanging the latest attack techniques being used by nefarious individuals seeking to exploit computer networks around the world, Def Con has also become a place where security professionals and so-called ‘White Hat’ hackers detail some of the big security flaws they’ve discovered in the past year.
Those vulnerabilities, often disclosed during official presentations at the event, not only give those researchers a chance to show their coding skills to their peers but also allow the companies whose networks or devices have been compromised to work with the hackers to patch the problem.
With this year’s Def Con already in full swing and more automakers than ever before offering remote connectivity in their cars, we’ve already seen some presentations from security professionals detailing the latest security flaws to afflict the automotive world.
Tomorrow, we’ll learn about a specific attack used on one of the most advanced cars to ever go on sale: the luxury Tesla Model S electric sedan.
As the Financial Times details (via GreenCarReports), Kevin Mahaffey, chief technology officer of Lookout, and Marc Rogers, principal security researcher at Cloudflare, will detail a security flaw with the Tesla Model S that allowed them to gain access to the Tesla’s on-board computer, manipulating its speedometer, raising and lowering windows, lock and unlock the car, and shut down completely while moving at low speed.
But while you’re going to hear some analogies drawn between this new Tesla security flaw and the now infamous high-profile case from last month in which a pair of security researchers demonstrated their ability to completely remotely control a Jeep Cherokee via the Internet while it was driving down a busy highway with a Wired security reporter at the wheel, there are a couple of things worth mentioning about this new case.
First, the hack required physical access to the Tesla Model S in question. Second, Tesla says it already has a patch that it will be sending to every Model S remotely via an over-the-air update by the end of today.
We’ll likely learn more about the specifics of the attack tomorrow after Mahaffey and Rogers have made their Def Con presentation. But from what we understand thus far, the exploit was only made possible after the pair gained physical access to the vehicle chosen for the attack.
That’s because they had to physically connect a computer to the high-end plug-in car via a modified on-board Ethernet connection in order to presumably inject compromised code onto the vehicle’s system. From what we understand of the Model S and the way it is built, even gaining access wouldn’t have been enough: the attackers would have needed their own custom-made cable, built to interface with the Tesla’s on-board computer.
Once that initial connection was made however, Mahaffey and Rogers say they were able to remotely access the Model S over its built-in wireless Internet connection.
No indication is given however of how long it took to make the necessary code modifications to the car, nor how easy it was. While we’ve never tinkered with a Model S, we’re guessing the process took long enough for someone to have noticed had the researchers been attacking a stranger’s car with malicious intent.
“We shut the car down when it was driving initially at a low speed of five miles per hour,” said Rogers of the remote exploit. “All the screens go black, the music turns off, and the handbrake comes on, lurching it to a stop.”
Experiments with higher-speed travel however, resulted in a less dramatic stop, with Tesla’s on-board safety system cutting in to protect the parking brake from engaging at high speed. While the researchers claim that they were able to turn off the car as before, the steering continued to work and the car coasted to a safe stop.
Regardless of this fact, we’re sure those of a nervous disposition might be unsettled by the level of access afforded the researchers by their exploit. But as with previous security flaws in Tesla’s always-on interconnected software, Tesla has responded swiftly.
Indeed, before the story even broke Tesla, working with the pair of researchers, devised a security patch designed to prevent customer’s cars from being exploited in the same way.
Thanks to Tesla’s over-the-air update system, experienced software engineers and software-driven attitude to problem solving, the patch is already being sent to customers’ cars, with Tesla saying it should have warned drivers of the flaw and administered patches to their vehicles remotely by the end of today.
Its swift actions not only ensures that Tesla customers are protected from this new exploit, but sets Tesla apart from the rest of the automotive industry and ahead of many software and hardware manufacturers who take days or even weeks to patch vulnerabilities.
In this case, it seems the vulnerability of introducing an always-on Internet connection is also Tesla’s biggest strength.
You can also support us directly as a monthly supporting member by visiting Patreon.com.