August 10, 2015: Don't Hack Me Bro

Insert cliché cybersecurity imagery.

The Tesla Model S isn't a car - it's an IoT with four wheels and electric motor(s). With a full-time Internet connection, it's a moving target ... literally. So it was with great interest that I attended this year's DEF CON talk titled "How to Hack a Tesla Model S" presented by Kevin Mahaffey (CTO of Lookout) and Marc Rogers (CloudFlare).

DEF CON is the annual hacker conference in Las Vegas, Nevada, an event I've been attending for quite a few years and I've always been worried about what sort of damage/nuisance conference attendees could inflict on my Model S.

Tesla cars are tremendously dependent on software. Pair that with IP connectivity and from-anywhere-on-the-Internet remote control and tracking capability, you're talking about a highly complex system with a very tempting attack surface. As anyone in working in infosec can attest, the more complex something is the higher the likelihood of vulnerabilities and exploitability.

I could just imagine the stereotypical script kiddie (wearing hoodies in dark rooms with Matrix-style digital cybersecurity imagery in the background, of course) detecting my car with an Nmap probe, firing vuln scans, finding an opening, launching Metasploit ... and BAM! the car drives off by itself to who knows where (after they disable my ability to track the car's location).

When I initially put down my Model S deposit back in July 2014, I emailed Tesla about their security practices with some very specific questions. The query apparently went up the chain to the Director of Information Security, and while that seems rather exciting, the response I was met with was the usual "We take cybersecurity seriously and employ the best people with the best technology to protect you from harm" boilerplate. Well, I sort of expected this. I probably would've replied with the same answer. At least I tried, and Tesla was apparently small enough back then that such a query got moved around internally pretty fast.

That said, back in August 2014 at DEF CON 22, Tesla had a surprising presence in the vendor booth at the conference (with an actual white Model S in the corner) and Kristin Paget was there answering questions and talking shop on security. This was roughly a couple of months before I was to take delivery of my Model S. Seeing Kristin in a position to help improve the digital security of the car was assurance that Tesla was genuinely taking security seriously, something that players in traditional industries have been absolutely terrible at and well behind the times. For example, see Charlie Miller and Chris Valasek's entertaining DEF CON 23 presentation which led Fiat Chrysler to recall over 1.4 million vehicles:


As I drove into Las Vegas, the paranoid side of me half-expected my car to all of sudden be taken over and I'd find myself in some back alley with folks ready to ship the car to a chop shop. For this eventuality, I created a couple of signs to place on the car while parked:


In Kevin Mahaffey and Marc Rogers' presentation, they demonstrated how they physically pulled apart a Model S guinea pig and dug into the electronics, covering what they discovered in terms of wiring, architecture, and other concerns that anyone in the information security practice would take great interest in:


In addition, JB Straubel was at the talk. I actually ran into him at the DEF CON ICS Village although I didn't get to say hi. Sort of just star struck. At least I almost rubbed shoulders with greatness.

All in all, it seems that Tesla has done a solid job compared to other companies (in other verticals as well) when it comes to software and network security. Good domain separation, least-privilege where possible, failure resilience, and mostly-decent crypto key management. Bravo. More research is needed, of course, but when it comes to defeating security systems in moving objects weighed in tons, you have to be very cautious.

Over-the-air updates FTW.

One has to wonder if the FBI/NSA/[insert unnamed agency here] have one or more 0-days for Tesla's software. Since the data you generate while driving a Model S or X is feeding into Tesla's mothership in the cloud, does the Fourth Amendment apply against MiTM?

The term "drive-by download" might have new connotations here.