Recently, Tesla owners received a wake-up call. At a conference in Singapore, an information security expert revealed that Tesla’s electric cars can be hacked using simple techniques. Nitesh Dhanjani, a Ernst and Young security executive who moonlights as a well-known writer of technical books, alleges that Tesla’s connected cars, which are constantly in communication with far-away servers, can be remotely accessed via brute-force hacking. Dhanjani has a vested interest in this particular subject–he’s not just a security expert, but the proud owner of a Tesla Model S.
In Dhanjani’s presentation at the Black Hat Asia security conference, he uncovered something interesting. For all of the Tesla’s technological sophistication, the fledgling prestige automaker doesn’t protect their servers very well. The Model S is integrated with an iPhone application that lets users remotely open their car doors, locate their vehicle, adjust suspension and brakes, and control in-car media. Although designed to make the lives of Tesla owners easier, the integration was designed with weak password requirements and a web portal that makes password theft relatively easy. Dhanjani was stunned by something: Tesla’s web portal does not lock out drivers who cannot remember their password. Given enough time, anyone can bombard a Tesla owner’s account with different passwords until the gate opens.
Tesla is not alone in its quest to create ever-more-connected vehicles. At this moment, connected car APIs are offered by Ford, Toyota, GM, and others. The rise of extensive 4G nationwide networks and the 30+ month development process for automakers means that it is now feasible to integrate smartphone technology into cars. This occurs through minor methods, like offering Pandora or Yelp through the dashboard or through more extensive methods like Tesla’s remote brake system adjustment. These new capabilities are built on top of systems which have been around for years, like GM’s OnStar system and BMW’s ConnectedDrive system. For automakers, every capability they can add to their car will potentially add more sales–and they’ve deemed the cost vs. benefit of building cars whose air conditioners can be controlled by iPhone worth it.
One major concern is that poor server-side security could hurt drivers. Yuval Ben-Itzhak is the CTO of AVG, a Czech Republic-based security firm that primarily markets anti-virus software to consumers. In a recent conversation with Fast Company, Ben-Itzhak explained that automobiles are part of a connected device ecosystem that includes fitness trackers, thermostats, and even baby monitors. The big worry is that companies selling products for this ecosystem use poor encryption or security, leading to intruders stealing data or even being able to manipulate a device.
“I travel a lot worldwide,” he says. “I purchased an IP camera and put it in my living room so I can see my kids and check if everything is okay. When I log into the camera from my phone or laptop, I’m asked for my password and other security info and I felt it was secure. But I wanted to know how the camera broadcast our video stream to the cloud, so I used a network sniffer and saw that the camera was uploading the stream unencrypted.” That meant that anyone with a sniffer, a relatively common piece of code or hardware device, could illegally access a livestream of Ben-Itzhak’s family with a minimum of work.
Ben-Itzhak’s other worry is that Tesla’s constant recording and broadcasting of data could lead to security liabilities. As he characterizes it, the car records every time a driver makes an illegal turn or jumps a red light and then sends that information to an off-site facility. It’s similar to the fact that sharing settings on a Fitbit or Nike Fuelband was making it easy for anyone to see when their partners, friends, or work contacts are having sex and for how long as long as both parties use the same fitness tracker. In the brave new world of connected devices, the very act of creating data by driving or having sex creates entirely new security worries.
In a statement published in PCWorld, Tesla wrote “We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process.”
Meanwhile, Dhanjani sees his discovery as a wakeup call. “Owners of Tesla as well as other cars are increasingly relying on information security to protect the physical safety of their loved ones and their belongings,” he says. “Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks.”