Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Hacking the Model S for evil...

This site may earn commission on affiliate links.
As a Computer Scientist that has worked in Computer Security for all his life, I'm more than a little bit worried about the potential for someone hacking into my car with evil intent. At best it could lead to someone gaining access to my information, at worst it could end up with my car smashing into a column.
This has been discussed with other cars, through arcane but still theoretically feasible avenues such as hacking into the Bluetooth network, then finding software holes in the audio system or console, to then escalate to take control of the Car Area Network most modern cars have. It has been even theoretically demonstrated in some regular cars, with the limitations (mostly range) these channels impose.
The Model S opens this risk to a whole new level. A 3G connected car could, in theory, allow me to hack into it from anywhere in the world. I presume Tesla's software is of a quality comparable to that of the rest of the car, but that doesn't mean there are zero bugs there. The risks, thus, are big. Just as a virus can infect millions of PCs in a single day, an equivalent problem with the Tesla could lead to thousands of accidents, so I presume Tesla is putting special focus in this area.

So my questions to anyone in the know are:
* Did Tesla follow a process such as the Security Development Lifecycle when developing their software? If not, it doesn't matter how much attention to quality they put, big software security issues are bound to be there (especially in a green field like car software architecture). Given that this car has a single user-accessible computer that can control things such as steering, acceleration, braking, access and other such behaviors, I'm especially worried about someone building tools to take control of car settings remotely, then escalating into taking control of the UI computer, and exploiting holes in the CAN or controller software to take control of vital car systems such as the drive-by-wire systems.

* Is there any reference to the security model of the car? Even though I don't buy the "security through obscurity" method (no serious security researcher does) I could understand if Tesla considers that it wouldn't be good to release too much detail at this point since it could lead hackers in the right direction if they are some obvious flaws in the logic, but I would like to see at least that Tesla has defined a software architecture that provide some assurances and that doesn't assume there are no buffer overruns, unchecked inputs, EoPs or other such problems.
* Any formal process to confidentially communicate vulnerabilities detected? Is there a commitment from Tesla for responsible disclosure of bugs and adequate, timely responses?
* How is the software update process secured? I presume it is protected by digital signatures in the updates, but is there a chance an unsigned binary is deployed to the cars over the air? What sort of certificates are utilized? What's the assurance process for the root keys of such certificates?
* Finally, any third-party evaluation of the software in the car? Given the number of software engineers that purchased Teslas (based on the number I know are in the hands of Google, Microsoft and Apple employees) getting some third party involvement shouldn't be hard.

I hope I don't get responses such as "the car doesn't run Windows, so it doesn't need any of this", "there are no bugs", or "the remote control doesn't have options to drive the car, so this is impossible". All systems are hackable, and most are being hacked every single day. The only thing that can give me some assurance (and that can ensure Tesla won't go under in a single week after a big incident involving many cars) would be a good security process on Tesla's side. Unlike most cars, the Tesla has the advantage of being able to be updated over the air which means that as soon as a vulnerability is identified and a patch is built it can be quickly deployed to cars, but the existence of a fast, streamlined process for doing that is critical. Even more, the ability to do a remote kill of all wireless functionality if a serious vulnerability starts being exploited before there is a fix could at least help avoid a major catastrophe.

Where does one start to find out about Tesla's security processes and assurances?
Thanks!
 
Last edited:
"security through obscurity" method still places some roadblocks for those investigating. Therefore the items you are asking about aren't well known, if at all, outside the company.

Report vulnerabilities via email, track however you wish there. They aren't opening up their bug tracking system.

Track the 3G communications with Tesla for most other things. Once wireless is enabled, I expect it'll be SSL-type communications.

The API for the phone app was figured out through taps and somebody created a successfully Windows phone app based on the API discovered.

Otherwise you should be asking Tesla. And if they give you any information, I'd say SHAME ON THEM. The info you ask for is just homework for a black hat attack.
 
The security of the Model S is equivalent to any other Linux PC running a Webkit browser. Don't browse to random websites. That's the most probable avenue of attack. If there are remote vulnerabilities in the bluetooth or wifi stacks in Linux, they'll be there in the Model S. Fortunately, that's exceptionally rare.

The Model S will have some defense to random drive-by website hijacking as it is a Linux PC running on a Tegra 3 ARM architecture - an unusual combination. No one will have ready made exploits written for that combination. They'll either be x86/Linux or ARM/Android (yes I know Android is based on Linux, but it's enough different to require different ready made exploits).

Targeted attacks by a motivated attacker are indeed quite possible, within the limits of the attack surface mentioned above, but not likely outside of the security research community. The money these days is all in malware for botnets and spam, or 0days for vulnerability brokers who resell to shady governments (here's looking at you, Vupen), and the Model S isn't particularly interesting for either. Someone might get a nice talk at Blackhat out of a demonstration, but no one is going to 0wn your car from it.

Presumably the embedded controllers that actually matter and can affect driving take signed firmware updates. Hopefully the signature checks happen in the embedded controllers themselves, and not in the infotainment 3G/WiFi/Bluetooth/Web connected center console PC. If so, all the other stuff in the previous paragraphs and your question is moot. This is all that matters.
 
And this isn't new w/ Model S. I was talking to a coworker w/ a Mercedes and they have an app that looks almost identical to the Tesla one. So there are plenty of cars these days w/ cellular internet connections. Don't have an answer for you other than to say what Tesla is doing is new but not bleeding edge new.
 
there are lots of ways to hack cars lower tech than the model S, there was some hack demo'd where the tire pressure sensors were used as an attack vector (in a vehicle where those sensors had a wireless comm protocol, some buffer overrun or something was exploited to get into the core car computer). Hard to be secure, and hard to gauge what cars are most interesting (or all cars?).
 
The fact that you can reboot the display while driving the car means there is a certain level of isolation of components which makes me less worried about malicious hacking of the car that would effect the driving. More likely that hackers could get into the embedded Linux and install bot-net agents or keyboard capture apps just like on any other computer.

Based on what we know now, the most important thing you can do is to pick a strong and unique password for your teslamotors.com login since that is what is used to authenticate the phone apps that can unlock your car and track it's position.
 
The weakest point of the system is your email address. If you use gmail with 2 factor authentication, it may not be - but most email systems are not as strong as gmail. If someone gets into your email they can reset your MyTesla password and then they have access to your car through the app.
I could enumerate what I think are the other likely weak points, but instead I will just say I bet all of the infrastructure outside of the car is probably more vulnerable than the stuff in the car.
 
Jason: maybe you misunderstood what I asked for, otherwise you obviously don't work in computer security. Offering the source code, or even the full API may or may not be good for security (the jury is still out on that). But publishing the security standards, the processes and the general architecture for a commercial product, whether it's a phone or a car, can't hurt security. In most cases obscurity HAMPERS security. If Tesla Motors thinks not publishing the platforms security model will halt hackers, I'm selling my beloved Model S, as I do not have a death wish.
I understand the value of temporary obscurity while someone sorts their act, but obscurity at this level adds no value in the long term.
A well-documented and well-reviewed security model helps security, that's a well-accepted fact in CS. I'm not asking for the source code, or for information about bugs, not even API documentation. I'm asking about their PROCESS: is the code peer reviewed? Do they have protections against typical vectors? Does the platform perform Address Space randomization, marks buffers as "no execute" or has a generalized bounds check in all its API inputs? Does the company have a formal and public process to report bugs responsibly?
Such information doesn't help hackers. If they want to know if the car does ASLR they can find out in seconds. I don't want to hack into my own car to find out, but I could if I wanted. And the cost of a car is of no consequence if what you want is to bring down a whole industry, or even if you just want to kill one rich guy.
Let's say someone discovers a vulnerability and they don't have a formal process to communicate it. What does a researcher do? They publish it, of course. That's what most white hats do after not finding a formal process to report vulnerabilities. Do you think that would be good for Tesla?

- - - Updated - - -

EarlyAdopter: thanks for the info, but it worries me. So if Detroit wants to get rid of Tesla Motors all they have to do is to pay a bunch of Chinese hackers to find a few exploits and crash a few cars. That would be the end of the company. That's a billion dollar exploit, much more valuable than any one in Windows.
To be sure my point is clear: if my Linux PC crashes or gets pwned, I lose some time, perhaps some money. If my Model S gets hacked with specific intent, and the car doesn't have isolation controls in place, I die.
I don't care that much if someone steals my car. If a "hacker" can get to do the same things I can do, that's bad, but it is not the end of my life. But if they get to do the things I do not expect to be able to do remotely (drive the car, for example) then I will be very, very worried.

What sort of controls would put me at ease? Well, technically, I would like there's no direct control from the central computer (the one handling external communications and user interface) to the driveline controller, and that both are connected in a way that blocks the user-facing computer from controlling the car (e.g. the "API" that connects the user interface computer with the driveline controller is very tightly controlled and internally authenticated, it allows very specific actions such as the alteration of certain drivetrain parameters within controlled limits, and offers no way for this computer to issue commands such as "turn left" or "speed up"). I would also like to know Tesla has followed the SDL or something similar (just hiring good coders is not enough, not by a mile). I would like to know they adopted a well-reviewed security architecture rather than creating their own, or if they created their own that they had lots of peer reviewing. The fact that they started with Linux is a decent start (not that I'm a big fan of Linux, but Linux has gone through decades of evolution which has made it reasonably robust as a baseline). But a security model goes well beyond that. I would like to know that no single security bug (because there will be many, that's a fact) can bring the car down.
I would also like to know that they have a good relationship with the White Hat community. That they encourage well-intended research on their car's security model, and that they encourage responsible disclosure. Because there's so much money at stake that I have no doubt the bad guys will be doing their research. We can only hope that Tesla has done what's necessary to make their work very hard, and that they have good guys working on getting ahead of the race.
 
Last edited:
For those of you who don't know (or don't care), almost every car made today uses a simpler version of the Local Area Network, called the Controller Area Network (more commonly called the CAN bus). The CAN bus allows dozens of components to send and receive sensor data and commands. Its all drive-by-wire nowadays.

Furthermore, many of the higher-end cars have radios that not only receive, but transmit, too. Cellphone G3, G4, Bluetooth, Wi-Fi, garage door openers, and maybe even LoJack.

Hacking the Model S for evil is probably no different than hacking any CAN Bus based vehicle. And there are many such cars nowadays.

So far, if the villian has physical access to your car, and can connect an evil device onto the CAN Bus network (the On-Board Diagnostic port is the obvious choice), then there's a good possibility that the evil device can masquerade as some other device, and do evil things.

If the villain does not have physical access to your car, then the problems are an order of magnitude more difficult, but theoretically possible. Most cars with On*Star, Satellite Radio, G3, Wi-Fi, & etc. capability are configured to accept manufacturer signals (or upgrades, or directives) to remotely communicate with the car.

{You may remember a GM commercial that briefly aired where the On*Star system was touted, showing a stolen car slowing down and rolling to a stop as several police cars trailed behind. The On*Star system accessed the car's fuel pump and slowly reduced its power to starve the engine of fuel, bringing it to a controlled stop.}

If On*Star can access a vehicle on the go, then it is *possible* that our villain may be able to do it, too. But unlikely. After all, GM and the others aren't total dummies. They use a pretty good encryption system already. (I imagine they also use a pretty good gang of lawyers.)

There is probably a villain or two out there right now trying to find a way to break through the encryption codes and gain access of remote devices, i.e, your car (or more likely, the Army's humvees). But just like Microsoft vs Apple, I would expect the villains to be going after a solution that might give them a greater rate of return should they meet with success (tens of thousands of GM On*Star cars, maybe) instead a puny couple of hundred Tesla Model S cars.

If this *still* becomes a problem, then it may take a simpler hard-wired solution: Design the car to have a special device installed on the On-Board Diagnostic port (or whatever) that is the *only* way that the car will receive software-altering upgrades. That device is only available at a dealership, and they have to enable it before anything could be modified.

-- Ardie
So, how do I download McAfee to the car again?
 
If this *still* becomes a problem, then it may take a simpler hard-wired solution: Design the car to have a special device installed on the On-Board Diagnostic port (or whatever) that is the *only* way that the car will receive software-altering upgrades. That device is only available at a dealership, and they have to enable it before anything could be modified.

Isn't that sort of like saying, "If you don't want malware on your computer, disconnect from the internet and only load factory supplied media?"
 
Isn't that sort of like saying, "If you don't want malware on your computer, disconnect from the internet and only load factory supplied media?"

In a way, I guess so. There are those who are, um, "overly super-cautious" about this subject, and such a solution might work well for them.

For me, I'll wait until there is a confirmed threat before I start lining my garage with copper.

--Ardie
That reminds me - I need to put my daughter on the "security breach threat" list.