Aug 08
2015

Hacking Tesla

Tesla_Model_S_digital_panels

Image of Tesla’s Model S digital panels

One only needs to have a brief look at Tesla’s Model S dash panel to realize that it’s not a typical car.  In a normal automobile you would find gadgets with physical gauges to tell you things like speed, fuel and other things.  In a Tesla Model S you find a series of computer generated graphics that represent the physical gauges found in other vehicles.   In addition, underneath the sophisticated look of the exterior are controls and WiFi technologies that has had experts in Cybersecurity talking for over a year, making Tesla the biggest target for talk amongst the offensive community.  However, it’s not just Tesla that is getting involved and bracing the software enhancement of cars, it’s just that Tesla is so advanced and has taken it to the next level first.

Just recently Kevin Mahaffey (co-founder and CEO of mobile security firm Lookout) and Marc Rogers (CloudFlare) discovered vulnerabilities and presented on them at Def Con (the biggest offensive Security Conference in the U.S.) on Friday 8/7/2015 in Las Vegas.  The attack on the car requires physical access to the inside of the car and involves plugging in a laptop to a CAN bus port located behind the Model S driver’s side dashboard.

Tesla_Model_S_canbus

Image of Tesla’s Model S CAN bus

The CAN bus port is specific to automobiles, and according to a conversation I had with someone who works directly with Ford Motor Company, it is unfamiliar to most people on most cars.  However, in Tesla’s case they actually use an Ethernet network that is more familiar to people who use computers.  In fact, Tesla uses an internal 100 Mbps, full-duplex Ethernet network with 3 devices on it that use statically defined IP addresses on a 192.168.90.0 subnet…. this may seem like geek speak to most… but trust me, that’s pretty familiar stuff to those of us that are educated in the arena of computer networks.

Tesla systems actually speak the offensive security community’s language.

cof_orange_hex_400x400

Ubuntu Logo

The most interesting thing to me as a security researcher is under all the pretty graphics of the Tesla itself, it has a customized Ubuntu operating system, something I’ve favored and taught in my classes for years.  This means that modern cars all use an Operating System (OS) and applications just like any other computer we interface with.  It also means that unless the manufacturers keep their OS and applications current in their hardware products (like Tesla, Nest, and others) there will be known vulnerabilities that can be exploited to take control over those systems.  In fact, if there’s one system Offensive Security people know, it’s Ubuntu as it has mainstream offensive testing distributions based on it.

Kevin Mahaffey and Marc Rogers talk at Def Con after investigating the Tesla systems for over two years is promised to be one of the top talks. They already released some of their six vulnerability findings to the public to promote the talk such as the Tesla Model S:

  • Using an out-dated browser containing a four-year-old Apple Web-Kit that is well documented, having a history of being used to attack other systems.
    • This Apple Web-Kit vulnerability allows the attacker to conduct a fully remote hack to start the car’s motor by developing a website targeting the car owners to download malicious code
      • That code (known as an exploit) when executed would provide privilege escalation allowing the attacker to deliver various payloads of the attacker’s choosing to the Tesla Model S system.
EV_Rally_Trollstigen_Tesla_Model_S

Tesla Model S

It’s almost like a perfect storm in the way that the owner has to be tricked into clicking on a link to the code to allow this remote control.  However, using social engineering and manipulating Google or a search engine to produce a result specifically targeting an individual that owns the car (like telling them it’s a software update or something) one could feasibly do this.  The attacker could then have a back door impregnated on the Model S system and simply issue commands to the car.  The back door would then create a life threatening issue as they did with a Jeep Cherokee recently under test conditions.

The nice thing is that Mahaffey and Rogers worked with Tesla’s software and security team to develop patches to the Tesla system.  Tesla fixed some of the vulnerabilities  delivering the updates to their cars remotely on Wednesday 8/5/2015.  What is amazing to me is how responsive Tesla has been to patching these known vulnerabilities so quickly, and how easy it was for them to deploy their updates directly to their cars.

Meanwhile back here in Detroit, we use systems that are designed specifically so you need to have specific knowledge and physical access to the cars to deliver the updates.   One would think that would cut down on issues.

102862398-2014-Jeep-Cherokee-Uconnect.1910x1000

Jeep Cherokee U Connect System

However, as recent as July 2015 there were findings on the Chrysler U Connect system that reared an ugly attackable vulnerability.  It was discovered that attackers could take control of the transmission, breaks, and steering on certain cars.  Chrysler had to issue USB sticks with the patch and ask 1.4 million vehicles to report back to the dealership  for the fix.  This undoubtedly cost Chrysler more money for the way they decided to control access to their U Connect update systems vs. how Tesla does.  However, it is important to note that Chrysler does care for the security and safety of their customers, otherwise the money wouldn’t be spent on the updates at all for their U Connect systems.

Even with all the talk about Tesla and their Internet of Things (IoT) automobile, they will continue to prove themselves only if they can continue to quickly resolve issues as they have with the deployment of the latest patches delivered this week to their automobiles.  Many times in our world of security, weeks, months or even years after a Def Con talk detailing an attack comes out… many software manufacturers don’t even bother fixing the known vulnerabilities.

If Tesla keeps delivering real-time updates quickly to resolve known vulnerabilities, they will continue to win the hearts and minds of the Ethical Offensive community, and even increase their market share as a manufacturer that is concerned with the security and safety of their customers.

Resources:

The Tesla Model S Is Basically A Good Looking IT Department On Wheels: http://jalopnik.com/the-tesla-model-s-is-basically-a-good-looking-it-depart-1558372928

Making the Real Diagnostic Connector Part 1: http://www.instructables.com/id/Exploring-the-Tesla-Model-S-CAN-Bus/step2/Making-the-Real-Diagnostic-Connector-Part-1/

The scariest thing about the Chrysler hack is how hard it was to patch: https://www.theverge.com/2015/7/24/9036153/chrysler-hack-vulnerability-automobile-car-software-security

Hackers Remotely Kill a Jeep on the Highway—With Me in It: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

This entry was posted in Information Assurance, New Technologies and tagged , , , , , , , , , , , , , , , . Bookmark the permalink.