from the welcome-to-the-new-normal dept
Over the last few years, we’ve well documented the abysmal security in the internet of things space. And while refrigerators that leak your Gmail credentials are certainly problematic, the rise in exploitable vehicle network security is exponentially more worrying. Reports emerge almost monthly detailing how easy it is for hackers to bypass vehicle security, allowing them to at best fiddle with in-car systems like air conditioning, and at worst take total control of a compromised vehicle. It’s particularly problematic given these exploits may take years to identify and patch.
Enter Tesla, which, while indisputably more flexible in terms of technology, finds itself no less vulnerable to being embarrassed. Reports this week emerged that Chinese white hat hackers discovered a vulnerability in the Tesla S series that allowed an intruder to interfere with the car’s brakes, door locks, dashboard computer screen and other electronically controlled systems in the vehicle. In a video, the hackers demonstrated how they were able to target the vehicle’s controller area network, or CAN bus, from up to twelve miles away:
Fortunately in this instance, the attack required a fairly strict set of circumstances, including fooling the car’s owner into first connecting the vehicle to a malicious hotspot — while the car’s internet browser was in use. Also, unlike some vulnerabilities, which have taken traditional automakers up to five years to patch in the past, the researchers said in a blog post that Tesla was quick to update the car’s firmware and fix the vulnerability:
“Keen Security Lab appreciates the proactive attitude and efforts of Tesla Security Team, leading by Chris Evans, on responding our vulnerability report and taking actions to fix the issues efficiently. Keen Security Lab is coordinating with Tesla on issue fixing to ensure the driving safety of Tesla users.”
That said, this isn’t the first time that hackers have highlighted vulnerabilities in Tesla vehicles. A group of hackers earlier this year demonstrated how they were able to use about $100,000 in radio equipment to fool the Tesla S model’s autopilot feature into perceiving obstacles that technically didn’t exist, or obscuring obstacles the car would normally avoid:
“A group of researchers at the University of South Carolina, China’s Zhejiang University and the Chinese security firm Qihoo 360 says it’s done just that. In a series of tests they plan to detail in a talk later this week at the Defcon hacker conference, they found that they could use off-the-shelf radio-, sound- and light-emitting tools to deceive Tesla’s autopilot sensors, in some cases causing the car’s computers to perceive an object where none existed, and in others to miss a real object in the Tesla’s path.”
Comforting! Obviously these are just the vulnerabilities we know of, and there’s likely a very hot zero day market for car vulnerabilities, with state actors willing to pay top dollar for exploits allowing the staging of “accidents” local yokel investigators aren’t likely to ferret out as malicious. Alongside the even worse security in many “smart” (read: wholly idiotic) internet of things appliances, we’ve been happily introducing tens of thousands of new network attack vectors annually. As we rush unpatched toward the driverless future of tomorrow, what could possibly go wrong?