At DEF CON 23, Security Gurus Reveal How Hard it Was to Hack a Tesla Model S

With an always-on Internet connection and the ability to update its on-board firmware remotely, the Tesla Model S is a shining beacon on how automakers can use the Internet of Things in order to ensure cars keep up with the latest mobile communication technology.

Occupying such a highly elevated position in the tech world also makes it an obvious target for hackers eager to see just what is possible when a vehicle is given a persistent connection to the Internet. Indeed, with more remote connectivity than any other car on sale today, we’d argue that hacking the Tesla Model S is something of a Holy Grail for those seeking to establish themselves as a highly-skilled hacker.

Tesla's most recent security flaw has already been patched.

Tesla’s most recent security flaw has already been patched.

So when we heard last week that the Tesla Model S had indeed been hacked by security researchers Kevin Mahaffey and Marc Rogers weeks after fellow white-hat experts Charlie Miller and Chris Valasek triggered a massive Fiat Chrysler recall to fix a rather scary remote telematics security exploit, we sat up and took notice.

As Mahaffey and Rogers detailed over the weekend at the DEF Con 23 digital security conference however, hacking the Tesla Model S was a long, laborious process full of dead ends.

Firstly, the pair had to gain a Tesla Model S to play with, carefully taking apart the dashboard to get at the various components inside. With the dash removed, they were presented with a computer system complete with a pair of removable SD cards, a USB header on the motherboard, and a set of diagnostic ports. A proprietary cable was also laid bare, but at that point, neither knew what it might be for.

Tesla was given high-praise by the security researchers for being hard to hack.

Tesla was given high-praise by the security researchers for being hard to hack.

Turning their attention to the USB header in an attempt to use various well-known USB hacks to gain access to the system’s firmware, Mahaffey and Rogers discovered that Tesla had seen it sensible to lock the USB port’s firmware, preventing any uploading of malicious code.

Then, looking at the SD card slots, they discovered the Model S uses the same version of a software toolkit that was recently instrumental in a hack of the Sony PS Vita portable gaming console. Yet again however, the duo discovered that Tesla Motors [NASDAQ:TSLA] had already patched the flaw.

On one of the SD cards however, they did find a file containing the digital security keys used to start up the Tesla Model S when the key fob is in range. But without a way to exploit those keys, the researchers were still no closer.

It took further examination — and the realisation that the strange proprietary cable was in fact a specially designed ethernet network connection — before any further progress was made.

Even after gaining access to the Tesla Model S, the researchers were still restricted in what they could do.

Even after gaining access to the Tesla Model S, the researchers were still restricted in what they could do.

Once they’d figured out the correct connections, the pair used a make-shift adaptor to access the ethernet port and thus the car’s onboard networking system. But even then, they had to splice in a network switch into the Model S’ on-board networking system in order to exploit its secured virtual private network (VPN) to Tesla’s servers.

While connected, downloading and decompiling Tesla’s firmware was possible, they report, but even then access to the vehicle’s locking system was still not possible. Gaining access to a series of passwords stored in the data folders of the decompiled firmware, the duo say they were then able to spoof various parts of Tesla’s service and maintenance network to gain access wirelessly to the vehicle.

Even then however, the exploits were only enough to give them access to the Tesla Model S’ onboard infotainment system — not the full range of vehicular control systems.

Tesla has a good reputation for patching security exploits in double-quick time.

Tesla has a good reputation for patching security exploits in double-quick time.

Indeed, only vehicle control functions accessible via the on-board touch-screen interface were accessible to the hackers, explaining why the duo were able to operate windows and door locks as well as emergency power-off — but not operate the accelerator, steering or brakes.

As we pointed out last week, the small series of exploits used to grant Mahaffey and Rogers access to the borrowed Tesla Model S have already been patched by Tesla in an over-the-air update.

Moreover, Mahaffrey and Rogers admit that Tesla’s quick-to-fix attitude to software vulnerabilities meant that getting as far as they did with the Model S involved more locked doors and dead ends than it did open doors. In fact, in order to do anything, they discovered a constant connection was required to the Tesla Model S in order to prevent Tesla’s servers from locking out access to the car.

The point? Unlike many automakers — some of whom admit to being completely unprepared for the advent of Internet-connected vehicles and the security risks that brings — Tesla is ready, willing and able to take on the best hackers head on.

Given that — and the recent hire of former Google security expert Chris Evans to become Tesla’s new head of security — we think the Californian automaker is still one of the safer cars you can choose to buy.


Want to keep up with the latest news in evolving transport? Don’t forget to follow Transport Evolved on Twitter, like us on Facebook and G+, and subscribe to our YouTube channel.

You can also support us directly as a monthly supporting member by visiting

Related News