Note: As stated below, Tesla has already patched many of the vulnerabilities discussed here in a recent patch.
LAS VEGAS -- It is very difficult to hack a Model S' doors, start the vehicle and drive away. They were also able to issue a "kill" command to a Model S to shut down the vehicle's systems, bringing it to a stop. Then, at this weekend's the Defcon digital security conference, they showed all in attendance how they did it., but it's not impossible. Last week, researchers Kevin Mahaffey and Marc Rogers that they were able to remotely unlock the
The researchers chose the $105,000 Model S because they believe that the "Tesla Model S is an archetype for what all cars will look like in the future." As that archetype, Mahaffey and Rogers found the Model S to be well designed and secure. In fact, almost 40 minutes of their 50 minute talk was devoted to the many dead ends that they ran into when attempting to crack the Tesla.
The process began with procuring a Model S from a private party and carefully taking the dashboard apart to get at the electronics inside. With the silicon laid bare, they found a pair of removable SD cards (one for map data and one for the file system), a USB header, a set of diagnostics ports and a mysterious proprietary cable.
The team tried to gain access to the firmware via the USB header, but found the firmware locked and therefore unexploitable. Peering into the SD card data, they found that the Model S' dashboard software uses a version of the same QtWebKit browser that was recently used to exploit the PS Vita portable gaming console. Tesla had already patched the browser though -- another dead end.
However, on that same SD card, they found a file, carKeys.tar, that contained the digital keys to start the Model S when its keyless entry transponder is in range. This was the first piece of the puzzle, but it was followed by another series of dead ends.
In the software, the researchers found a link to download the car's firmware direct from Tesla's servers, but that was only accessible via a virtual private network created with the Tesla "mothership" server whenever the vehicle connects to the Internet. Outside of the car's own communications, the researchers were unable to just download the data to a PC.
Progress slowed until the researchers discovered that the mystery port mentioned earlier was little more than a proprietary Ethernet connection. After hacking together an adapter out of Ethernet cable and Scotch tape, Mahaffey and Rogers had access to the vehicle's onboard network.
After connecting the vehicle to a network switch, they were able to step inline with the Model S' connection to the Internet and take advantage of its VPN connection to Tesla's servers to download and decompile the firmware, which contained a clever Monty Python "knights who say 'Ni!'" Easter egg, but was not itself the key to unlocking the Tesla. The firmware did, however, point to a handful of passwords that were stored insecurely in one of the data folders.
The next weakness found was with the Wi-Fi connectivity built into every Model S. The cars are programmed to automatically connect to the wireless network at any Tesla service center, which is of course named "Tesla Service" and uses a static network key. By spoofing a Tesla Service network, something that is fairly easily accomplished, the researchers now had a wireless connection to the car.
Together, the wireless connection, the digital car keys data found on the SD card, and the physical VPN connection to Tesla's servers gave the researchers nearly complete access to an infotainment software service called QtCarVehicle and all of the vehicle functions it can control. If you've ever sat in a Model S, you'll know that the central infotainment screen can control just about everything.
Even with this access, there were limitations. To get to this point, the researchers needed to physically disassemble the Model S to gain access to its Ethernet port and the carKeys.tar file. So, you can't just point a phone at any Model S and gain control. And that physical connection needs to be constant since the VPN security token needs to be sent almost constantly to Tesla's servers lest the car lock out access to its functions.
Though the researchers gained access to the Model S's onboard infotainment network, the vehicle doesn't send any raw CAN data across Ethernet, so they weren't able to access anything outside of what is allowed by Tesla's own legitimate APIs. While the vehicle was able to be locked down at low speed, above 5 mph the Model S's safety systems will keep the driver in control of the steering and brakes and won't engage the emergency brake -- though the accelerator and infotainment can still be disabled.
Mahaffey and Rogers demonstrated that although the Model S isn't unhackable, its information systems are remarkably well designed and secured, rendering their hacking methods largely impractical for for anyone who doesn't already have constant physical access to the car. Working closely with Tesla, the automaker has already issued patches to block access to weak passwords stored locally and the firmware updater exploit. Thanks to its over-the-air update process, Tesla is able to push updates to its entire fleet of vehicles within a week.
Tesla also has a bug bounty program in place to reward researchers who point out flaws in its vehicle information systems and has recently upped the maximum reward to $10,000.