In-brief: Tesla Motors CTO attends DEF CON thanking researchers for finding flaws in the Model S and seeking harmony with the security community.
If you can’t beat them, join them.
Not only were Tesla Motors representatives were on hand at last week’s DEF CON 23, they were recruiting, and answering questions about one of the talks targeting their Model S car. They even parked one of the cars within the Bally’s Las Vegas Hotel and Casino Convention Hall right next to the conference’s annual Capture the Flag competition.
Over the course of the last two years, researchers Kevin Mahaffey, co-founder and CTO of mobile security firm Lookout, and Marc Rogers, principal security researcher for CloudFlare, discovered six vulnerabilities and then worked with the electric car company to patch them. Last Wednesday, one day before their scheduled talk, Tesla pushed out a patch to every Model S in the world. And unlike the Fiat Chrysler, which recalled more than 1.4 million cars to patch its software vulnerabilities, Tesla only required its users to click “yes” to accept the update on their vehicles.
Mahaffey and Rogers explained the two year process in attacking the $100K Tesla Model S with both appreciation and concern. “It’s designed the way networks are designed rather than cars,” Rogers said. To get to the internals, researchers had to plug a laptop into a physical network port behind the dashboard on the driver’s side.
“When dismantling a Tesla you will hear sounds of plastic breaking,” Mchaffey said.
Once attached, the researchers were able to start the car, drive it, cut the brakes or steer even if the car was in reverse with a laptop. They could also install on the internal network a remote-access Trojan while they had physical access. Unassisted remote access is not possible at this time. Unlike the Jeep Cherokee, whose infotainment system vulnerabilities opened up the system to broader attacks, Tesla has instituted a gateway that segments the infotainment system from the drive system, in theory protecting the internals.
Although designed much better than most cars, Tesla is not perfect. The researchers found an older version of Ubuntu and an out-of-date browser, Apple Webkit 5.3.4, to which Rogers added “Come on, guys.” In terms of privacy, Tesla collects information about everything the driver and car does (Mahaffey scrolled through a long list of data they found stored within the car). Protecting remote communications with the “mothership” (yes, that’s the name of the server at Tesla) is OpenVPN, however, access was found to be possible through use of a file named “car.key”.
After anticipating months of hard work only to have it resolve so quickly, Rogers said “I almost cried.”
While the perimeter security is very good, the researchers concluded that once you have physical access an attacker could still move around inside quite freely.
After the talk, Tesla Motors chief technology officer JB Straubel joined Mahaffey and Rogers on stage, drinking a shot of Glenlivet scotch–a Def Con tradition. Straubel announced an increase in Tesla’s bug bounty program, from $1,000 to $10,000, and said that the Ex-Google security expert, Chris Evans will join Tesla as head of security.