Tesla hack signals the importance of smart car cybersecurity
Hackers can hack a Tesla or any other smart car, under the right circumstances. While smart car manufacturers continue to improve the cybersecurity of smart and connected vehicles, the reality is, hackers are still finding ways to infiltrate these vehicles and cause more problems.
David Colombo, a 19-year-old self-described IT security specialist, and hacker made headlines around the world last week in the smart car and cybersecurity industry after announcing that he was to hack into a number of Tesla cars around the world.
Through a series of Tweets, Colombo explained how he discovered flaws in Tesla that enabled him to unlock doors and windows, start cars without keys, and disable the vehicle’s entire security system. Based in Germany, Colombo also claimed he can view if the vehicle had a driver, turn on the stereo system and flash its headlights.
Colombo provided screenshots and other documentation of his research that identified the maker of the software and gave details of the vulnerabilities in an interview with Bloomberg. He also claimed that he could access more than 25 Teslas in at least 13 countries.
Bloomberg also reported that a representative for Tesla in the U.S. and elsewhere didn’t respond to requests for comment. However, Colombo stated that Tesla’s security team had logically reached out to him to investigate the issue and prevent future threats.
Addition as of 11. Jan 22:33 (CET)
Tesla‘s Security Team just confirmed to me they’re investigating and will get back to me with updates as soon as they have them.
— David Colombo (@david_colombo_) January 11, 2022
So how did Colombo hack a Tesla?
According to Colombo and news reports, a flaw in third-party software allowed him to access the 25 vehicles in 13 different countries. The vulnerability of third-party software on devices such as smart cars have long been a concern for carmakers as they felt these were to be secured.
Colombo has also given suggestions on areas Tesla should focus on to secure their vehicles more. They include implementing different API access token scopes, which includes read-only scope, non-critical scope (for seat heater, etc) and a critical scope (for unlocking doors, starting keyless driving, etc.)
Tech Wire Asia reached out to Lotem Finkelstein, Head of Threat Intelligence and Research for Check Point Software Technologies to get his views on the hack and how car manufacturers can fix these types of problems in the future.
Finkelstein pointed out while the threat may not be as severe as initially imagined, the reality is, smart cars can be hacked. And Colombo has just shown the world one of the ways of how it could be done.
Finkelstein also believed that Colombo was not able to take control of any vehicles in that sense but claimed he was able to control some peripheral devices on 25 poorly maintained Teslas like the volume of the sound system, windows and lights, and critically he was not able to execute code on any of the compromised cars and certainly was not able to get into the drive control system.
“I would challenge this conclusion. Can we really expect users to be familiar with the software configuration of a complex and highly technically advanced product like a modern automobile? Surely cars, of all things need to be secure ‘out of the box’ and secure to the highest standards. It should not be possible for the driver to allow remote access to their vehicle either by a given action or indeed inaction,” said Finkelstein.
That said, Finkelstein foresees a future where users will need to assume some responsibility for the cyber safety of their vehicles.
“If God forbid, a hacker took control of your car and you had an accident, it would not matter whose fault it was that the car was not secured, you would want to do everything in your power to prevent it. Sure, we expect manufacturers to provide a fully secure vehicle but our experience in cyber tells us this is not something that can be 100% guaranteed forever. In the same way that we expect to be proactive in protecting our laptops and phones, I suspect we will need to take a more hands-on approach to ensure our cars are protected from cyber-attacks,” he concluded.
While the Tesla hack wasn’t as severe as many expected, it does raise questions on the technologies being used by the vehicles. With third-party software vulnerable, care manufacturers may need to look for stronger ways to secure a smart car.
As Finkelstein puts it, when lives are in danger, users will start to demand a higher level of personal control over such risks.
- Cyber-heist mastery: how North Korea stole over US$3 billion in cryptocurrency
- From 1% to 100%: Tallying the impact from Okta data breach
- VMware by Broadcom: layoffs and redundancy
- ChatGPT: A year of revolutionizing AI dynamics
- Barking up the wrong data tree: even pets aren’t safe from a data breach