PUBLISHED:
AUGUST
06
2015
It seems car hacking is the latest pastime. The Tesla Model S is the most recent example of a car with flaws in its computer software that could put drivers in danger.Kevin Mahaffey, co-founder and CTO of cybersecurity startup Lookout, and Marc Rogers, a security researcher at hackerprotection firm CloudFlare, plan to show the world how hackers can remotely hijack the vehicle at the Def Con hacking conference in Las Vegas Friday. Apparently, anybody who has physical access to the interior of the Model S can inject malware into the system that gives that individual complete control.
“We identified six vulnerabilities in the Model S that ultimately resulted in the ability to, with initial physical access to the car, gain full control over the vehicle’s infotainment system and be able to perform any action accessible to the center touch screen or Tesla’s smartphone app,” Mahaffey explained. “In one case, we were able to turn off the car while it was driving.”
Over-the-Air Patching
Connected cars are effectively computers on wheels, Mahaffey said. To realistically patch vulnerabilities at the frequency they are discovered -- instead of issuing a mass recall like Chrysler did -- manufacturers need to implement over-the-air patching systems into every connected car, he said. Tesla has such a system.
“In the past, security teams relied on a ‘perimeter’ security architecture to protect their systems. That is to say, hard on the outside and soft and chewy on the inside,” Mahaffey said.
“As the story went, if you kept attackers outside the gates, you didn’t have to worry so much about protecting the systems inside the gates," he said. "Time has proven, however, that it’s practically impossible to completely prevent attackers from getting inside the perimeter. There are simply too many vectors to defend.”
What’s the Answer?
Chrysler, General Motors and now Tesla have discovered that the hard way.
In July, a security flaw was discovered in the Jeep Cherokee’s Connect vehicle-connectivity system. Two white hat hackers -- Charlie Miller and Chris Valise -- tapped into the flaw while a reporter drove the vehicle down the highway.
The hackers successfully -- and remotely -- turned up the radio as loud as it would go and switched on the windshield wipers. They also cut off the transmission and disconnected the brakes. The Jeep ended up in a ditch.
A few days later, security researcher Samy Kamkar hacked General Motors’ (GM) OnStar in-vehicle system. Kamkar posted a YouTube video revealing what he called “OwnStar,” a device that intercepts GM’s OnStar Remote Link mobile app. He claimed OwnStar can locate, unlock and even remotely start cars that come equipped with the OnStar system.
We asked Jon Gelsey, CEO of identity infrastructure firm Auth0, for his thoughts on the car hacks. He told us the good news is that companies everywhere -- not just Tesla -- are becoming more aware of the security risks that come along with increasingly complex, increasingly accessible, in-demand technologies.
Unfortunately, there’s also some not-so-good news. Gelsey said it’s still a challenge to keep up with this ever-changing tech environment.
“The easiest way companies can stay ahead of hackers is to acknowledge that their developers can’t be expected to be experts across every subspecialty of the development chain, and utilize security-as-a-service platforms that keep up with the vulnerabilities for them," he said.
“We identified six vulnerabilities in the Model S that ultimately resulted in the ability to, with initial physical access to the car, gain full control over the vehicle’s infotainment system and be able to perform any action accessible to the center touch screen or Tesla’s smartphone app,” Mahaffey explained. “In one case, we were able to turn off the car while it was driving.”
Over-the-Air Patching
Connected cars are effectively computers on wheels, Mahaffey said. To realistically patch vulnerabilities at the frequency they are discovered -- instead of issuing a mass recall like Chrysler did -- manufacturers need to implement over-the-air patching systems into every connected car, he said. Tesla has such a system.
“In the past, security teams relied on a ‘perimeter’ security architecture to protect their systems. That is to say, hard on the outside and soft and chewy on the inside,” Mahaffey said.
“As the story went, if you kept attackers outside the gates, you didn’t have to worry so much about protecting the systems inside the gates," he said. "Time has proven, however, that it’s practically impossible to completely prevent attackers from getting inside the perimeter. There are simply too many vectors to defend.”
What’s the Answer?
Chrysler, General Motors and now Tesla have discovered that the hard way.
In July, a security flaw was discovered in the Jeep Cherokee’s Connect vehicle-connectivity system. Two white hat hackers -- Charlie Miller and Chris Valise -- tapped into the flaw while a reporter drove the vehicle down the highway.
The hackers successfully -- and remotely -- turned up the radio as loud as it would go and switched on the windshield wipers. They also cut off the transmission and disconnected the brakes. The Jeep ended up in a ditch.
A few days later, security researcher Samy Kamkar hacked General Motors’ (GM) OnStar in-vehicle system. Kamkar posted a YouTube video revealing what he called “OwnStar,” a device that intercepts GM’s OnStar Remote Link mobile app. He claimed OwnStar can locate, unlock and even remotely start cars that come equipped with the OnStar system.
We asked Jon Gelsey, CEO of identity infrastructure firm Auth0, for his thoughts on the car hacks. He told us the good news is that companies everywhere -- not just Tesla -- are becoming more aware of the security risks that come along with increasingly complex, increasingly accessible, in-demand technologies.
Unfortunately, there’s also some not-so-good news. Gelsey said it’s still a challenge to keep up with this ever-changing tech environment.
“The easiest way companies can stay ahead of hackers is to acknowledge that their developers can’t be expected to be experts across every subspecialty of the development chain, and utilize security-as-a-service platforms that keep up with the vulnerabilities for them," he said.
No comments:
Post a Comment