Teen’s Tesla hack shows how vulnerable third-party apps can make cars

Teen’s Tesla hack shows how vulnerable third-party apps can make cars


Washington DC
CNN

A German teenager says he found a vulnerability in an app installed in some Teslas that allowed him the ability to unlock doors, flash headlights and blast music. The hack highlights the relative lack of oversight in apps that some drivers can download to their cars.

David Colombo identified a vulnerability in TeslaMate, a third-party app that some Tesla owners use to analyze data from their vehicle. He gained access to 25 Teslas that use the app, and he did not have access to steering, braking or acceleration, which can be particularly dangerous.

The exploit unlocked a number of potentially unwelcome opportunities for drivers, the hacker said.

“Imagine music blasting at maximum volume and every time you want to turn it off [sic] it just starts over, or imagine every time you unlock your doors, they just lock again,” Colombo, the 19-year-old behind the hack, wrote in a Medium post detailing the hack. Colombo said he could even track the location of Tesla vehicles as their owners went about their day.

Colombo told CNN Business that he immediately reported the vulnerability that enabled the hack to involved parties, including Tesla. Colombo runs a cybersecurity company, and it’s not unusual for security researchers to seek out software vulnerabilities for potential compensation. Tesla offers cash incentives to people who report bugs in the software, but Colombo said he was not paid because the vulnerability was in a third-party app, not Tesla infrastructure.

(TeslaMate and Tesla did not respond to a request for comment.)

Cars, including Teslas, have been hacked before. But cybersecurity experts believe this is the first time a vehicle has been hacked through an app that has gained direct access to some vehicle controls and data. The TeslaMate software is installed on a non-vehicle computer and then accessed on the vehicle through the app interface. Apps can delight drivers with services their car wouldn’t otherwise have, as well as create new revenue for car manufacturers through app-related fees.

See also  Shopify ne parvient pas à empêcher la violation des mots de passe connus

But cybersecurity experts warn that the automotive industry needs to mature, as there are increasing risks as in-car apps become more common in the coming years.

“[Automakers] need to think about self-defending cars before self-driving cars,” Srinivas Kumar, a vice president at cybersecurity firm DigiCert who leads efforts to protect connected devices, told CNN Business. “If a car can’t defend itself against an attack, do you trust it to be self-driving?”

Colombo said preventing future hacks will require cooperation between automakers, app makers and car owners.

One way to prevent a hack of this nature, he said, would be if Tesla more thoroughly restricted apps’ access to data and commands. For example, an app can be limited to only being able to see data, such as whether the doors are locked, but not being able to unlock them.

“In a perfect world, those apps in an app store that you can download to your Tesla wouldn’t have access to anything critical,” Colombo said.

Third-party apps are becoming increasingly available in new cars. Some newer models offer a limited selection of apps on the infotainment system. For example, some Cadillac drivers can download Spotify, NPR and the Weather Channel. Newer Ford models offer apps such as Waze, Domino’s and Pandora.

Tesla has not officially launched a way for app creators to add apps to their vehicles. But tech-savvy Tesla enthusiasts have written about how to do it.

Moshe Shlisel, CEO of Israeli cybersecurity company GuardKnox, said carmakers should scrutinize apps that end up on their vehicles to ensure security. GuardKnox is developing a way for cars to monitor their apps and shut them down if they do something wrong, such as communicating to a part of the vehicle that isn’t allowed.

See also  A destabilizing hack-and-leak operation hits Moldova

“It’s a wake-up call to the whole industry,” Shlisel said of Colombo’s hack.

He expects that the cars of the future will have hundreds of thousands of apps to choose from.

General Motors reviews apps and scans them for vulnerabilities, according to spokesman Darryll Harrison. Ford, which also allows a limited set of apps on some vehicles, declined to comment for this story.

But screening apps that appear on infotainment systems won’t stop a person with sophisticated technical skills from running an app on a vehicle regardless of the automaker’s approval. This could be done through a USB connection or an over-the-air vulnerability that occurred in the Tesla hack, according to cybersecurity experts.

The National Highway Traffic Safety Administration released cybersecurity best practices in 2016, but it has not created standards for apps installed in vehicles. Neither has the car industry.

“Right now it’s open season,” Shlisel said.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *