Security Architecture, Endpoint/Device Security, IoT, Security Strategy, Plan, Budget, Vulnerability Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Hackers crack Tesla CAN Bus, DoT issues policy for securing connected car

For the first time ever, researchers claimed they were able to crack into Tesla's CAN Bus to achieve remote control of the electric car, meanwhile the U.S. Department of Transportation (DoT) issued new policy concerning automated vehicles.

Keen Security Lab researchers discovered multiple security vulnerabilities in Tesla firmware which allowed them to open the sunroof, turn on the blinkers, move the seat, hack into the center counsel display screen and dashboard display, open doors without a key, control windshield wipers, fold side mirrors, open the trunk, and engage the braking system, according to a Sept. 19 YouTube video demonstration of the attacks.

Researchers said they were able to perform the exploits on various models all of which were performed without physically altering the cars and that this is the first known case of remote attacks which compromised the CAN Bus on Tesla cars.

The bugs were reported to and confirmed by Tesla's Product Security Team and those who are affected are encouraged to update their vehicles to the latest version to ensure the issues are patched.

Tripwire Cybersecurity Researcher Craig Young told SCMagazine.com that some of the details provided by the researchers conflict with information released by Tesla.

“While the researchers indicated that they could compromise a car from 20km, Tesla has reported that the car must be connected to a malicious Wi-Fi and the standard range for this is at most 300m,” Young said via emailed comments. “This could indicate that the attackers found a way to gain persistence on the car after it has disconnected, but then the 20km range seems oddly short.”

Young said he suspects the attack may have actually been possible by another user on the same cell tower or with a cell site stimulator and that he hopes the researchers release more details about the exploits to better explain the attack surface.

“The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car,” Young said. “Ideally these systems should be completely isolated from one another.”

Separately, the DoT Tuesday released policy for safe testing and deployment of automated vehicles.

 The policy includes guidelines urging car manufacturers and other developers to submit to a 15- point “safety assessment” outlining how driverless cars are tested, safeguards in place should systems fail, and how the vehicles are programmed to comply with existing traffic laws.

The DoT guidelines indicate the need for cybersecurity best practices and call upon industry technology companies and the car manufacturers to share knowledge and create them, Karamba Security Chairman and Co-founder David Barzilai told SCMagazine.com via emailed comments.

Barzilai said the DoT expects that best practices should be embedded in the designs of the autonomous cars and that leading car companies and providers have already started to create internal methods for hardening cars against hackers.

“Yet, they have been experiencing a gap between common enterprise cybersecurity methodologies that protect against data loss and in-car security that protects against fatalities and damages,” Barzilai said. “Both NHTSA and the industry are seeking solutions that will enable the prevention of attacks, not just detection, without risking lives due to false alarms, problems that can lead to legitimate car commands failing to execute, such as airbag deployment.”

He said this won't be an easy task but is critical as preventing the attack is even more important than detecting the attack.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.