Tesla Model 3 was hacked
In March Tesla’s Model 3 was hacked. The hackers managed not only to access the car’s web browser but also execute code on its firmware and display a message on the infotainment system. Though the hackers didn’t “take over” the whole system, because they weren’t able to break into any other systems in the electric vehicle, that effort they made was enough to bring them $375.000 paycheck from Tesla.
Why so? The thing is, that the whole scam was part of a three-day cybersecurity contest called Pwn2Own, an event where Tesla pays top dollar to anyone masterful enough to find previously unknown bugs. Correcting any weakness helps the electric car company protect the people who drive its vehicles, or at least it hopes so.
Like everything connected to the internet, modern smart cars are super fucking hackable (if you are some kind of cyber genius). That’s why car companies no longer rely only on experienced internal security teams. You never know where the next good cyber Will Hunting is living.
At face value, encouraging outsiders to search for flaws may appear like searching for a teaspoon in a shitbucket with bare hands. However, not only does the move give skilled hackers a chance to flex their muscle, but it also helps companies like Tesla, GM, and others strengthen car security
“We believe that in order to design and build inherently secure systems, manufacturers must work closely with the security research community to benefit from their collective expertise” Tesla said
Tesla’s approach toward plugging access holes began with its bug bounty program in 2014, and the company pays up to $15,000 per vulnerability. Still, it’s not the only automaker that invites hackers to test systems. For example, Fiat Chrysler has had a bug bounty program in place since 2016 and it pays hackers up to $1,500 each time they discover a previously unknown vulnerability. GM officially rolled out its bug bounty program in 2018 after establishing what it calls the Security Vulnerability Disclosure Program in 2016. Ford also started such a program in January 2019.
The best way for car companies to protect their cars lies in the multiple approaches to protect cars from all sides, according to Asaf Ashkenazi, chief strategy officer at Verimatrix, a security and analytics software firm (which is working with such firms as Visa, Mastercard, HBO, and others).
He said that cars today are in the beginning stages of what he called a three-prong approach to smart car security.”They are filtering away the obvious attacks from the outside by trying to create firewalls between subsystems,” he said. “If one is compromised, the hacker can’t move to other systems.”
This approach was shown during the Tesla hack as the Palo Alto-based company managed to contain the damage to just the browser while protecting all other vehicle functions.
The next level of protection from automakers is the ability to upgrade and fix issues via the airwaves, Ashkenazi said.
Legacy car companies have lagged behind Tesla’s ability to send these smartphone-style refreshes to its customers. The Palo Alto-based company uses the feature to update everything from semi-autonomous driving modes to cheeky Easter eggs or hidden gems. When responding to bugs, the company has fixed issues through software updates within a few days of discovering vulnerabilities and has been doing so since 2012.
Alongside Tesla, some of Ford and General Motor’s 2020 models will allow over-the-air updates that can upgrade a vehicle with new features and remotely fix problematic software. GM’s 2020 Cadillac CT5 will come with a new “digital nerve system” that makes the updates possible. The system will allow the automaker to fix engine malfunctions, improve fuel economy, adjust steering quality, and alter almost every feature on a vehicle, possibly even including updates for safety standards that go into effect years after the vehicle was built. In May, GM announced that most of its global models will be capable of over-the-air software upgrades by 2023.
And the third step- monitoring. The third level of consumer vehicle protection involves having AI detect that a car is behaving differently. That gives automakers a better chance to identify attacks early on, Ashkenazi said. Even if you have real-time protection inside the vehicle, you still need to know that one of your cars is being targeted. That’s where monitoring technology steps in, allowing auto companies to perform cross-data analysis and identify suspicious behavior that could otherwise be missed.
The road to cybersecurity is long and carmakers are at the very beginning of it. So hold on, many catastrophes are yet to happen. They may look something like the 2015 case with a Jeep Cherokee when data security researchers successfully took remote control. Or Fiat Chrysler responded by recalling 1.4 million cars and trucks and sending UBS sticks with software patches to owners.
A fleet-wide vehicle hacking that results in death and destruction has yet to happen but as Tesla CEO Elon Musk said in 2017, it’s “one of the biggest risks for autonomous vehicles.” He added that a fleetwide hack of Tesla is “basically impossible.”
Of course, it would be a lot faster and easier if all the car companies united in the name of their customer’s security, but we don’t see that happening in a world of profit and competition. Yet there have been made some steps like the industry’s information-sharing and analysis group called Auto ISAC, established in 2015, is dedicated to research and creating best practices for cybersecurity. Mitsubishi Electric, PACCAR, Volvo Group North America and American Trucking Associations joined the pact in 2018.