Chinese researchers have been able to hack into the Tesla Model S while it is in motion up to 12 miles away. These researchers have withheld details of the a zero day attack and privately disclosed the flaws to Tesla. IT security experts commented below.

Craig Young, Cybersecurity Researcher at Tripwire:

CraigYoung“At first glance, it would appear that the details provided by the researchers conflicts somewhat with the information released by Tesla.  While the researchers indicated that they could compromise a car from 20km, Tesla has reported that the car must be connected to a malicious Wi-Fi and the standard range for this is at most 300m.  This could indicate that the attackers found a way to gain persistence on the car after it has disconnected, but then the 20km range seems oddly short.  Instead I suspect that the attack may have actually been possible by another user on the same cell tower or with a cell site stimulator.  In this case, I hope that the researchers do release further details to help understand the automotive attack surface better.The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car.  Ideally these systems should be completely isolated from one another.”

Mark James, Security Specialist at ESET:

mark-james“Tesla will continue to invest and work very hard in making their cars as secure as possible. When it comes to software there is always the possibility of it being compromised, no matter how good you think your code is. The key differentiator here is how quickly you listen, change and modify any confirmed flaws found through bug bounty type programs, get them rectified and then push these out to all affected. More and more cars are going to be connected, unlike your desktop machine if it becomes compromised it’s not just money that could go missing, these types of security incidents could in the worst case scenario cause harm or even loss of life.

Unfortunately, cyber security with regards to autonomous cars is a very real threat and one that should be treated with the utmost respect. Interconnected cars will be as common as getting your latest social networking fix wherever you are on the move these days but it comes with a real danger. The potential is huge if something goes wrong at speed and even the simplest of things could cause the driver to become distracted and be the cause of a road traffic accident. When we drive we expect to be in total control of our own vehicle, mirrors or windows moving, braking or even sudden sounds internally could all be the cause of taking our eyes off the road for the shortest of times and that could prove fatal.

The problem is that delivering secure software is a constantly changing factor, what is considered secure today may not be secure tomorrow. The ability to modify and push our updates is very important, making sure the user is well aware of any updates and making it easy for them to be applied needs to be top of the list when it comes to protecting the users of these types of vehicles.

The biggest single thing that you as a drivers can do to improve security is making sure you have applied all patches relating to security that are available for your vehicle. Even if you think it’s unrelated or does not affect you it may be an avenue for attack. Keeping your car up to date is even more important than keeping your desktop computer updated, making sure you keep your details up to date to enable the manufacturer or supplier to contact you if any urgent modifications need to be done that cannot be pushed over-the-air.”

Brian Spector, CEO at MIRACL:

brian-spectoreic“These hacks demonstrate the serious problems around identity verification in today’s connected cars. Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today. Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.

For connected cars to become more secure, relationships must be established within each and every component within a vehicle, to ensure that only a legitimate operator can control the connected devices within a car. Given the huge number of components in connected cars, hackers usually find a pathway by following a ‘weakest link’ scenario which attacks the easiest point of entry to the vehicle. This problem is compounded by the array of parts that comprise a vehicle, and the lack of a security protocol that ensures they will all work together safely and securely.

The current security checks often fail because they rely on slow, centralised identity verification services. To connect the components more quickly and autonomously, manufacturers should deploy a distributed trust model which allows for fast pre-authorisation, and removes the roadblock of a centralised service.

All of this requires a serious system upgrade and a greater drive for security awareness among manufacturers as well as consumers who use connected cars.”

Cesare Garlati, Chief Security Strategist at Prpl Foundation:

Cesare Garlati“Perhaps it goes without saying that the most dangerous part of the connected car is the “connected” part. Criminals, using a little lateral thinking, can use one part of the car’s anatomy to get to another. This could have dangerous consequences if hackers found their way into more critical functions, such as the brakes as researchers were able to do with the Tesla recently. The lack of subject matter expertise with mechanical and electrical engineers is leaving systems wide open to attack. While it’s unfair to expect them to shoulder this burden, it is also unfair to place the onus squarely on the consumer who is likely to know even less about security. This is something which vendors, regulators and manufacturers must carefully consider as the evolution of connected cars continues.

The prpl Foundation advocates three focus areas to make IoT more secure: using open source, forging a root of trust in hardware and security by separation. Interoperable open standards are the key requirement if we’re to improve IoT security– they will reduce that complexity by effectively outsourcing the trickiest work to the subject matter experts.”

Information Security Buzz