Researchers Discover Tesla Security Flaw that Could Turn Off Engine

Researchers Discover Tesla Security Flaw that Could Turn Off Engine
Image: Tesla
August 7, 2015

Professional hackers discovered a series of security vulnerabilities in the Tesla Model S, but unlike Fiat Chrysler, by the time the news hit the media, Tesla had already upgraded the software in every affected car.

Wired reports that researchers were able to plug their laptops into the car's computer, start the car with a software command, and then drive it. They could also plant a Trojan virus while they had physical access and then remotely cut the car's engine.

It sounds eerily similar to the Jeep Cherokee hack that allowed researchers to override the car from their living rooms while another Wired reporter sat in the driver's seat.

The differences, though, is that a hacker would have to be physically inside the Tesla in order to drive it away or implant a virus. A series of firewalls also separates the entertainment system from the drive system. While hackers could cut power to the car, the driver could still steer the car to a safe location while it coasted in neutral.

Also, unlike the General Motors ignition problem in which the car's safety features failed to work without engine power, the Tesla's airbags are still functional even if the engine isn't running.

Once Fiat Chrysler became aware of the security problems it developed a patch and notified owners. But owners had to head into a dealership in order to get the upgrade. Days after the Wired article went viral, Fiat Chrysler issued a recall for the 1.4 million affected vehicles and started mailing USB drives to owners.

Similar to how a smart phone is updated, Tesla already uses a wireless over-the-air (OTA) system for software upgrades and merely sent the patch to all the affected cars. Drivers just needed to hit a button on their dashboard to accept the fix.

Wired went on to write that there are still questions about gateway vulnerabilities that could allow hackers access to the drive system, but researcher and Lookout cofounder Kevin Mahaffey told the magazine that it's still the most secure car that they've seen.

How car companies respond to these vulnerabilities remains to be seen. Fiat Chrysler reportedly withheld the security problems from the National Highway Traffic Safety Administration (NHTSA) for almost two years because the carmaker didn't see it as a safety issue.

The NHTSA's Office of Defects Investigation (ODI) is also investigating if the Fiat Chrysler vulnerabilities are found in other infotainment products made by Harman Kardon, which also supplies Mercedes-Benz, BMW, and Subaru.

Bloomberg reports that BMW employs a similar firewall system as Tesla and the infotainment systems are separate from the drive system. Mercedes-Benz said it was taking measures to protect its cars, but didn't elaborate.

In July two Senate Democrats introduced a bill that would direct the NHTSA and Federal Trade Commission (FTC) to establish rules that would compel carmakers to secure cars and protect consumer privacy.