As a Computer Scientist that has worked in Computer Security for all his life, I'm more than a little bit worried about the potential for someone hacking into my car with evil intent. At best it could lead to someone gaining access to my information, at worst it could end up with my car smashing into a column.
This has been discussed with other cars, through arcane but still theoretically feasible avenues such as hacking into the Bluetooth network, then finding software holes in the audio system or console, to then escalate to take control of the Car Area Network most modern cars have. It has been even theoretically demonstrated in some regular cars, with the limitations (mostly range) these channels impose.
The Model S opens this risk to a whole new level. A 3G connected car could, in theory, allow me to hack into it from anywhere in the world. I presume Tesla's software is of a quality comparable to that of the rest of the car, but that doesn't mean there are zero bugs there. The risks, thus, are big. Just as a virus can infect millions of PCs in a single day, an equivalent problem with the Tesla could lead to thousands of accidents, so I presume Tesla is putting special focus in this area.
So my questions to anyone in the know are:
* Did Tesla follow a process such as the Security Development Lifecycle when developing their software? If not, it doesn't matter how much attention to quality they put, big software security issues are bound to be there (especially in a green field like car software architecture). Given that this car has a single user-accessible computer that can control things such as steering, acceleration, braking, access and other such behaviors, I'm especially worried about someone building tools to take control of car settings remotely, then escalating into taking control of the UI computer, and exploiting holes in the CAN or controller software to take control of vital car systems such as the drive-by-wire systems.
* Is there any reference to the security model of the car? Even though I don't buy the "security through obscurity" method (no serious security researcher does) I could understand if Tesla considers that it wouldn't be good to release too much detail at this point since it could lead hackers in the right direction if they are some obvious flaws in the logic, but I would like to see at least that Tesla has defined a software architecture that provide some assurances and that doesn't assume there are no buffer overruns, unchecked inputs, EoPs or other such problems.
* Any formal process to confidentially communicate vulnerabilities detected? Is there a commitment from Tesla for responsible disclosure of bugs and adequate, timely responses?
* How is the software update process secured? I presume it is protected by digital signatures in the updates, but is there a chance an unsigned binary is deployed to the cars over the air? What sort of certificates are utilized? What's the assurance process for the root keys of such certificates?
* Finally, any third-party evaluation of the software in the car? Given the number of software engineers that purchased Teslas (based on the number I know are in the hands of Google, Microsoft and Apple employees) getting some third party involvement shouldn't be hard.
I hope I don't get responses such as "the car doesn't run Windows, so it doesn't need any of this", "there are no bugs", or "the remote control doesn't have options to drive the car, so this is impossible". All systems are hackable, and most are being hacked every single day. The only thing that can give me some assurance (and that can ensure Tesla won't go under in a single week after a big incident involving many cars) would be a good security process on Tesla's side. Unlike most cars, the Tesla has the advantage of being able to be updated over the air which means that as soon as a vulnerability is identified and a patch is built it can be quickly deployed to cars, but the existence of a fast, streamlined process for doing that is critical. Even more, the ability to do a remote kill of all wireless functionality if a serious vulnerability starts being exploited before there is a fix could at least help avoid a major catastrophe.
Where does one start to find out about Tesla's security processes and assurances?
Thanks!
This has been discussed with other cars, through arcane but still theoretically feasible avenues such as hacking into the Bluetooth network, then finding software holes in the audio system or console, to then escalate to take control of the Car Area Network most modern cars have. It has been even theoretically demonstrated in some regular cars, with the limitations (mostly range) these channels impose.
The Model S opens this risk to a whole new level. A 3G connected car could, in theory, allow me to hack into it from anywhere in the world. I presume Tesla's software is of a quality comparable to that of the rest of the car, but that doesn't mean there are zero bugs there. The risks, thus, are big. Just as a virus can infect millions of PCs in a single day, an equivalent problem with the Tesla could lead to thousands of accidents, so I presume Tesla is putting special focus in this area.
So my questions to anyone in the know are:
* Did Tesla follow a process such as the Security Development Lifecycle when developing their software? If not, it doesn't matter how much attention to quality they put, big software security issues are bound to be there (especially in a green field like car software architecture). Given that this car has a single user-accessible computer that can control things such as steering, acceleration, braking, access and other such behaviors, I'm especially worried about someone building tools to take control of car settings remotely, then escalating into taking control of the UI computer, and exploiting holes in the CAN or controller software to take control of vital car systems such as the drive-by-wire systems.
* Is there any reference to the security model of the car? Even though I don't buy the "security through obscurity" method (no serious security researcher does) I could understand if Tesla considers that it wouldn't be good to release too much detail at this point since it could lead hackers in the right direction if they are some obvious flaws in the logic, but I would like to see at least that Tesla has defined a software architecture that provide some assurances and that doesn't assume there are no buffer overruns, unchecked inputs, EoPs or other such problems.
* Any formal process to confidentially communicate vulnerabilities detected? Is there a commitment from Tesla for responsible disclosure of bugs and adequate, timely responses?
* How is the software update process secured? I presume it is protected by digital signatures in the updates, but is there a chance an unsigned binary is deployed to the cars over the air? What sort of certificates are utilized? What's the assurance process for the root keys of such certificates?
* Finally, any third-party evaluation of the software in the car? Given the number of software engineers that purchased Teslas (based on the number I know are in the hands of Google, Microsoft and Apple employees) getting some third party involvement shouldn't be hard.
I hope I don't get responses such as "the car doesn't run Windows, so it doesn't need any of this", "there are no bugs", or "the remote control doesn't have options to drive the car, so this is impossible". All systems are hackable, and most are being hacked every single day. The only thing that can give me some assurance (and that can ensure Tesla won't go under in a single week after a big incident involving many cars) would be a good security process on Tesla's side. Unlike most cars, the Tesla has the advantage of being able to be updated over the air which means that as soon as a vulnerability is identified and a patch is built it can be quickly deployed to cars, but the existence of a fast, streamlined process for doing that is critical. Even more, the ability to do a remote kill of all wireless functionality if a serious vulnerability starts being exploited before there is a fix could at least help avoid a major catastrophe.
Where does one start to find out about Tesla's security processes and assurances?
Thanks!
Last edited: