Tesla cars have one security advantage that a lot of other cars don't: the electric vehicles are impervious to hot-wiring, so a thief can't just break into your $100,000 vehicle, pop open the steering column, futz with some cables and drive off. But if he has a computer with him, he could "hot-wire" it another way.
Two researchers have found that they could plug their laptop into a network cable behind a Model S' driver's-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S' network while they had physical access, then later remotely cut its engine while someone else was driving.
Kevin Mahaffey co-founder and CTO of mobile security firm Lookout and Marc Rogers, principal security researcher for CloudFlare, discovered the vulnerabilities after digging through the architecture of a Tesla Model S over a period of about two years and will be discussing their findings at the Def Con hacker conference on Friday in Las Vegas.
Both of these hacks require physical access to the car, at least initially, and they require control of the car's infotainment system, which has the ability to start the car or cut power to it.
But they also found that the car's infotainment system was using an out-of-date browser, which contained a four-year-old Apple WebKit vulnerability that could potentially let an attacker conduct a fully remote hack to start the car or cut the motor. Theoretically, an attacker could make a malicious web page, and if someone in a Tesla car visited the site, could gain access to the infotainment system. “From that point, you’d be able to use a privilege escalation vulnerability to gain additional access and do the other stuff that we described,” Rogers says. The WebKit vulnerability is a well-known and well-documented hole that has already been used by previous attackers to gain privileged access to other systems. Rogers and Mahaffey didn't test this method of intrusion on the Tesla, but Rogers notes that finding a privilege escalation vulnerability isn't out of the question. Tesla recently patched one in the Model S' Ubuntu Linux operating system.
The researchers found six vulnerabilities in the Tesla car and worked with the company for several weeks to develop fixes for some of them. Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.
"Tesla has taken a number of different measures to address the effects of all six vulnerabilities reported by [the researchers]," a Tesla spokeswoman told WIRED in an email. "In particular, the path that the team used to achieve root (superuser) privileges on the infotainment system has been closed off at several different points." She also noted that the effects of some other vulnerabilities have been mitigated. "In particular, the browser has been further isolated from the rest of the infotainment system using several different layered methods."