Security Expert Re: Tesla Cars Hacked Remotely by Drone

Researchers recently showed how a drone can launch an attack via Wi-Fi to take full control of a Tesla’s infotainment by exploiting flaws in a 3rd party component.  (These vulnerabilities have since been patched.)

Experts Comments

May 04, 2021
Asaf Karas
CTO
Vdoo

Automotive manufacturers must design resilient and safety-critical systems with an attacker’s perspective in mind.  Wi-Fi systems have been shown to be the weak spot when attacking infotainment and console systems, as seen in a different vulnerability found last year in a 3rd party WiFi component used by Tesla. These systems are usually provided by 3rd party vendors (whether commercial or open-source), and contain a lot of complex network processing code, which is more prone to

.....Read More

Automotive manufacturers must design resilient and safety-critical systems with an attacker’s perspective in mind.  Wi-Fi systems have been shown to be the weak spot when attacking infotainment and console systems, as seen in a different vulnerability found last year in a 3rd party WiFi component used by Tesla. These systems are usually provided by 3rd party vendors (whether commercial or open-source), and contain a lot of complex network processing code, which is more prone to vulnerabilities. As such, they are an inherent and ongoing risk for users of modern infotainments, as they need to either provide a WiFi hotspot or connect to a mobile phone.

 

Unfortunately, manufacturers have a hard time detecting these vulnerabilities. This newest example is an unknown, zero-day vulnerability (as opposed to a known one) in 3rd party software they use. Attackers commonly look for vulnerabilities in 3rd party software such as OSS components and then exploit them to control the device that uses them, in this case, the Tesla infotainment.

 

Manufacturers need to invest in the early detection of vulnerabilities, particularly given the large number of 3rd party components used in the modern car. The most efficient, scalable way to do this is to employ automated security tools to scan 3rd party software components in their source or binary form for unknown, zero-day vulnerabilities (not CVEs).  Bug-bounty programs, using manual research methods, can also help identify specific issues.

 

Unless car manufacturers start tackling this vulnerability problem head-on, we believe there will be significant repercussions for automotive security and safety, especially in autonomous vehicles. This particular vulnerability is a rather ordinary buffer-overflow vulnerability that could have been detected by existing automated code analysis tools. It is this kind of low-hanging fruit that should be dealt with to raise the bar for attackers.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.