How Hackers Tore Apart A Tesla Model S To Kill The Car Mid-Drive

As reported by Forbes: Tesla currently has a good rep in security circles. Its cars might be some of the most connected, but they’re also some of the best protected from digital attacks. That’s what Marc Rogers, of content delivery network CloudFlare, and Lookout Mobile Security co-founder Kevin Mahaffey discovered as they tried to find ways to hack the Tesla Model S. But whilst they had much praise for the luxury vehicle, they were still able to compromise it, cracking open doors, altering the dashboards and even shutting the car off.

Rogers and Mahaffey had to rip the Tesla apart, quite literally, until they found an ethernet port that let them connect directly to the Model S’CAN bus, the controller area network across which car data is sent and received. In total, they needed to chain four separate vulnerabilities to first gain access to the infotainment systems and the touchscreen used to control certain functions of the vehicle.

From there, they were able to do all kinds of diabolical things, including forcing the speedometer to disappear, altering the suspension, unlocking doors and the trunk, making windows go up and down, as well as killing the car.

An American flag is reflected in the grill of a Tesla Model S P85D at Tesla headquarters in Palo Alto, California on April 30, 2015 during the visit of Japanese Prime Minister Shinzo Abe. AFP PHOTO / JOSH EDELSON (Photo credit should read Josh Edelson/AFP/Getty Images)

Despite the problems uncovered by Rogers and Mahaffey, they discovered Tesla had a novel way to prevent even the most severe attack, that of shutting down the car, from causing carnage. When going under 5Mph, engine shutdown saw the displays go blank and the car “lurched to a stop” until the handbrake stopped it, Rogers noted. When attacked travelling any faster than that, the screens would go blank but the car would shift into neutral, allowing the driver to find somewhere safe to stop and restart the car.

“Ironically that means it’s the only car that can protect itself against a successful cyber attack,” Rogers noted.

They were able to get malware, effectively a bespoke vehicular remote access trojan (RAT), onto the car’s network after getting physical access, meaning they could subsequently attack the car remotely. It was effectively a simple backdoor, specifically an OpenSSH tunnel into the Tesla.

Tesla disputed the hackers were able to do remote attacks, whilst confirming fixes were being delivered today. “Tesla has taken a number of different measures to address the effects of all six vulnerabilities reported by Lookout. And, we continue to develop further ways to harden our systems, informed by ongoing discussions with the security research community, as well as our own internal analysis. The update has been made available to all Model S customers through an OTA update. We will deploy this update to all vehicles by Thursday,” a spokesperson said in an emailed statement to FORBES.

“Our over-the-air software updates remotely add new features and functionality to Model S. Similarly to how you receive updates to your smartphone, Model S owners download these updates from Tesla via Wi-Fi or a cellular connection. A button will pop up on Model S’s 17” touchscreen and an owner can select a time to download the latest version of software. The ability to receive these features and fixes is free for the life of the vehicle and is one more way that Tesla is redefining auto-ownership.”

Indeed, Rogers said Tesla was doing the right thing providing over-the-air updates with a modem and cellular connection Elon Musk’s company offers for free. Mahaffey claimed that some of Tesla’s updates were more like mitigations rather than full patches, the segregation of the on-board network was good enough to help prevent potential real-world attacks.

Disclosure was also relatively painless, even if there was a “long lag” between the original warning to the time the right people at Tesla were on the case, according to Rogers. “They are very forward looking,” said Mahaffey.

The researchers, who will present their findings in full at the DEF CON conference in Las Vegas on Friday, also found two potential browser vulnerabilities that they also disclosed, though didn’t exploit.

This week saw Chris Evans take the lead security role at Tesla, making the move over from Google’s elite Project Zero research team. Evans even helped Tesla address the issues, said Mahaffey, noting: “This gives me really high hopes with Tesla going forward.”

“I would like to see what they’ve done as a reference model for others… I think they’ve got lessons to learn but they’re 75 per cent there,” added Rogers.

This isn’t the first time Tesla has been targeted by benevolent hackers. Chinese researchers from Qihoo 360 exploited the car for a $10,000 award in 2014. Its website and Twitter feeds were hit by malicious hackers earlier this year too.

There’s been a heavy focus on car security this week during the Black Hat and DEF CON conferences this week. Not only have attacks on Chrysler vehicles been demonstrated, but Qihoo researchers are also due to show GPS exploits to trick cars into following false directions and Samy Kamkar is to demonstrate a cunning way to unlock vehicles with a $50 device.