LISTEN LIVE KPR - On Air: Listen Live to classical, jazz and NPR news Schedule LATEST
KPR 2 - On Air: Listen live to KPR's all talk-radio service, KPR2 Recordings

Share this page              

Tesla Model S Can Be Hacked, And Fixed (Which Is The Real News)

Listen to the Story

Hackers say they took control of a Tesla Model S through the car's computers. Tesla Motors says it is updating its systems with a patch to fix the vulnerability.

Cars have become computers on wheels. Crash the computer, and you could crash the car.

Two hackers decided they wanted to try doing that with a car that's considered pretty strong in terms of software, not just hardware. They chose the Tesla Model S. And — guess what — they broke in. But that's not the surprising part. The surprising part is how Tesla responded.

The Hack

Meet the two hackers: Kevin Mahaffey is a co-founder of Lookout; Marc Rogers is a principal security researcher with Cloudflare. Both cybersecurity firms are based in San Francisco.

They came to Las Vegas to attend Defcon, a conference where hackers exchange tricks of the trade. These two are "White Hats" — people who break into networks to look for flaws and get them fixed.

Here's how Rogers explained the hack: Tesla cars have a cable inside, which maintenance people can access to fix things. "That cable is hidden, in a secret panel," he said, either to the left of the driver or under the touchscreen.

Pop it open, find the cable and plug into it.

"It doesn't immediately give you access to anything," Rogers continued. "You have to do a few special things." Like poke holes in the software and look for bugs, for example.

The team found a few. The first gave them access to the car's network. The second got computers on the network to leak information about "how accounts hang together or maybe about how computers talk to each other," Rogers says.

With a fuller picture of how things work, Rogers and Mahaffey were able to convince computers at Tesla headquarters that their laptop was the car.

"We spoke to Tesla as the car, and essentially requested permission for more information," Rogers continues. Tesla's networks handed over data. The hackers tore it apart, analyzed it and got administrative access to the car.

"Once we had that foothold, we then took over all the computers in the car."

Rogers and Mahaffey then built themselves a back door, a way to control from afar. With that back door, they brought a real-life Model S to a grinding halt.

They made a recording to document their hack. In it, Mahaffey gets into the Model S and puts on "Call Me Maybe" by Canadian singer-songwriter Carly Rae Jepsen.

He drives very slowly through a parking lot. Rogers sends a command, through his iPhone, to shut down the car. And the Tesla stops dead in its tracks. The stereo shuts down, too.

Over-The-Air Updates

If you happen to own a Tesla, this might not be music to your ears. But the reason it's good news is because, unlike other automakers, Tesla actually has a system in place to fix bugs: regular software updates.

"This is something that seemed completely natural, in the DNA of how you build a connected product," says JB Straubel, Tesla co-founder and chief technology officer. "This is not a new concept in any way, shape or form."

Not new for Tesla, anyway. The company does something called "over-the-air updates," kind of like Apple does for iPhones. Every three months or so, every car gets a free software upgrade. No need to go to the mechanic for it.

The original intent wasn't security. (That's more a nice side effect.)

"It was built to give people content they wanted to use," Straubel says. "And that's still the main function, whether that content is streaming music or streaming maps."

The two hackers emailed Tesla about the bugs they found. Straubel and his team invited them in for a meeting and got details, figuring it's better that Tesla knows before the bad guys do. Tesla says it's sending over-the-air updates to all Model S customers with a patch.

Auto Industry Struggles With IT

Other companies have come under fire recently for not having a user-friendly system in place. Last month an article in Wired magazine described how a driver lost control of his Jeep Cherokee when two hackers remotely took over the car's computers.

In response, the car's manufacturer, Fiat Chrysler Automobiles, recalled 1.4 million cars. Fiat Chrysler also asked Sprint to issue a temporary fix over its network.

Earlier this year, a report by Sen. Ed Markey, D-Mass., found that automakers have fully adopted technologies like Bluetooth and wireless Internet access, but have "not addressed the real possibilities of hacker infiltration into vehicle systems."

The team that hacked Tesla says all carmakers should offer over-the-air updates, and do so free of charge.

"If you require an Internet subscription for the car, maybe 10 percent of people will sign up," says Mahaffey. "That doesn't work."

He and Rogers will present their findings at Defcon on Friday. They also suggest that automakers create a strong separation between the driving and infotainment systems inside vehicles, and build security rigorously into every component (a concept known as "defense in depth").

Ulf Lindqvist manages R&D projects in infrastructure security for SRI International. He says the not-for-profit research center is working with federal regulators on a new effort to help traditional automakers audit the cybersecurity of vehicles and build safer software systems.

"Good things are happening. It's not going to be super fast, but we're getting there," he says.

Copyright 2015 NPR. To see more, visit

Tower Frequencies

91.5 FM KANU Lawrence, Topeka, Kansas City
89.7 FM KANH Emporia
99.5 FM K258BT Manhattan
97.9 FM K250AY Manhattan (KPR2)
91.3 FM  KANV Junction City, Olsburg
89.9 FM K210CR Atchison
90.3 FM KANQ Chanute
96.1 FM K241AR Lawrence (KPR2)

See the Coverage Map for more details

Contact Us

Kansas Public Radio
1120 West 11th Street
Lawrence, KS 66044
Download Map
785-864-4530 (Main Line)
888-577-5268 (Toll Free)