Tesla Model S Can Be Hacked, And Fixed (Which Is The Real News) | KERA News

Tesla Model S Can Be Hacked, And Fixed (Which Is The Real News)

Aug 6, 2015
Originally published on August 7, 2015 9:10 am

Cars have become computers on wheels. Crash the computer, and you could crash the car.

Two hackers decided they wanted to try doing that with a car that's considered pretty strong in terms of software, not just hardware. They chose the Tesla Model S. And — guess what — they broke in. But that's not the surprising part. The surprising part is how Tesla responded.

The Hack

Meet the two hackers: Kevin Mahaffey is a co-founder of Lookout; Marc Rogers is a principal security researcher with CloudFlare. Both cybersecurity firms are based in San Francisco.

They came to Las Vegas to attend DEF CON, a conference where hackers exchange tricks of the trade. These two are "white hats" — people who break into networks to look for flaws and get them fixed.

Here's how Rogers explained the hack: Tesla cars have a cable inside, which maintenance people can access to fix things. That cable is hidden, in a secret panel, either to the left of the driver or under the touch screen.

Pop it open, find the cable and plug into it.

"It doesn't immediately give you access to anything," Rogers continued. "You have to do a few special things." Like poke holes in the software and look for bugs, for example.

The team found a few. The first gave them access to the car's network. The second got computers on the network to leak information about "how accounts hang together or maybe about how computers talk to each other," Rogers says.

With a fuller picture of how things work, Rogers and Mahaffey were able to convince computers at Tesla headquarters that their laptop was the car.

"We spoke to Tesla as the car, and essentially requested permission for more information," Rogers continues. Tesla's networks handed over data. The hackers tore it apart, analyzed it and got administrative access to the car.

"Once we had that foothold, we then took over all the computers in the car," Rogers says.

Rogers and Mahaffey then built themselves a back door, a way to control from afar. With that back door, they brought a real-life Model S to a grinding halt.

They made a recording to document their hack. In it, Mahaffey gets into the Model S and puts on "Call Me Maybe" by Canadian singer-songwriter Carly Rae Jepsen.

He drives very slowly through a parking lot. Rogers sends a command, through his iPhone, to shut down the car. And the Tesla stops dead in its tracks. The stereo shuts down, too.

Over-The-Air Updates

If you happen to own a Tesla, this might not be music to your ears. But the reason it's good news is that unlike other automakers, Tesla actually has a system in place to fix bugs: regular software updates.

"This is something that seemed completely natural, in the DNA of how you build a connected product," says JB Straubel, Tesla co-founder and chief technology officer. "This is not a new concept in any way, shape or form."

Not new for Tesla, anyway. The company does over-the-air updates, kind of like Apple does for iPhones. Every three months or so, every car gets a free software upgrade. No need to go to the mechanic for it.

The original intent wasn't security. (That's more a nice side effect.)

"It was built to give people content that they wanted to use," Straubel says. "And that's still the main function, whether that content is streaming music or streaming maps."

The two hackers emailed Tesla about the bugs they found. Straubel and his team invited them in for a meeting and got details, figuring it's better that Tesla knows before the bad guys do. Tesla says it's sending over-the-air update patches to all Model S customers.

Auto Industry Struggles With IT

Other companies have come under fire recently for not having a user-friendly system in place. Last month an article in Wired magazine described how a driver lost control of his Jeep Cherokee when two hackers remotely took over the car's computers.

In response, the car's manufacturer, Fiat Chrysler Automobiles, recalled 1.4 million cars. Fiat Chrysler also asked Sprint to issue a temporary fix over its network.

Earlier this year, a report by Sen. Ed Markey, D-Mass., found that automakers have fully adopted technologies like Bluetooth and wireless Internet access but have "not addressed the real possibilities of hacker infiltration into vehicle systems."

The team that hacked Tesla says all carmakers should offer over-the-air updates, and do so free of charge.

"If you require an Internet subscription for the car, maybe 10 percent of people will sign up," Mahaffey says. "That doesn't work."

He and Rogers will present their findings at DEF CON on Friday. They also suggest that automakers create a strong separation between the driving and infotainment systems inside vehicles, and build security rigorously into every component (a concept known as "defense in depth").

Ulf Lindqvist manages R&D projects in infrastructure security for SRI International. He says the not-for-profit research center is working with federal regulators on a new effort to help traditional automakers audit the cybersecurity of vehicles and build safer software systems.

"Good things are happening. It's not going to be superfast, but we're getting there," he says.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

If you own a late-model Jeep Cherokee, can't really blame you for feeling uneasy these days. After all, there was that article in Wired magazine last month. It described how a driver lost control of his Cherokee when two hackers remotely took over the car's computers. Now, in fairness to Jeep, hackers pose a threat to many cars as the industry turns its vehicles onto computers on wheels. NPR's Aarti Shahani tells us how one company, the electric car manufacturer Tesla, was hacked and responded in a pretty surprising way.

AARTI SHAHANI, BYLINE: Meet the two hackers.

KEVIN MAHAFFEY: Kevin Mahaffey, the CTO and founder of Lookout.

SHAHANI: And...

MARC ROGERS: I'm Marc Rogers, the principal security researcher at CloudFlare.

SHAHANI: We're in Las Vegas, in town for DefCon, a conference where hackers exchange tricks of the trade. These two were white hats, people who break into networks to look for flaws and get them fixed. Rogers begins to explain the Tesla hack.

ROGERS: So the Tesla has a cable for maintenance people to be able to access it and do things.

SHAHANI: That cable is hidden in a secret panel, to the left of the driver or under the touchscreen.

ROGERS: You have to pop it open.

SHAHANI: Find the cable, and plug it in.

ROGERS: It doesn't immediately give you access to anything. You have to do a few special things.

SHAHANI: As in poke holes in the software, and look for bugs. They found a view. The first gave them access to the car's network. The second got computers on the network to leak information, like..

ROGERS: How accounts hang together or maybe about how computers talk to each other.

SHAHANI: With a fuller picture of how things work, they were able to convince Tesla headquarters that their laptop was the car.

ROGERS: So then we spoke to Tesla as the car and essentially requested permission for more information.

SHAHANI: Tesla's networks handed over data. The hackers tore it apart, analyzed it and got administrative access to the car.

ROGERS: And once we had that foothold, we then took over all the computers in the car.

SHAHANI: Rogers and Mahaffey then built themselves a backdoor, a way to control from afar. And with that backdoor, they brought a real life Model S to a grinding halt. Listen to this recording they made.

Mahaffey got into the Model S and put on some music.

(SOUNDBITE OF MUSIC)

SHAHANI: He drove slowly through a parking lot until Rogers sent a command through his iPhone to shut down the car.

The Tesla stopped dead in its tracks - the stereo too. If you happen to own a Tesla, this might not be music to your ears. Two guys could break in and own it - hacker speak for take over. But the reason it's good news is because unlike other automakers, Tesla actually has a system in place to fix bugs, regular software updates.

JB STRAUBEL: This is something that sort of seemed like it was completely natural in the DNA of how you build a connected product.

SHAHANI: That's JB Straubel, Tesla cofounder and chief technology officer.

STRAUBEL: This is not a new concept in any way, shape or form.

SHAHANI: Not new for Tesla. The company does something called over-the-air updates, kind of like Apple does for iPhones. Every three months or so, every car gets a free software upgrade. No need to go to a mechanic for it. Straubel says the original intent wasn't security. That's more a nice side effect.

STRAUBEL: It was built to give people content that they wanted to use. And it's still the main function, whether that content is streaming music or streaming maps.

SHAHANI: The two hackers emailed Tesla about the bugs they found. Straubel and his team invited them in for a meeting and got details - better Tesla knows before the bad guys do. And by today, Tesla is sending over-the-air updates to all Model S customers with a patch. Aarti Shahani, NPR News, Las Vegas. Transcript provided by NPR, Copyright NPR.