Cars have become computers on wheels. Crash the computer, and you could crash the car.
Two hackers decided they wanted to try doing that with a car that's considered pretty strong in terms of software, not just hardware. They chose the Tesla Model S. And — guess what — they broke in. But that's not the surprising part. The surprising part is how Tesla responded.
Meet the two hackers: Kevin Mahaffey is a co-founder of Lookout; Marc Rogers is a principal security researcher with Cloudflare. Both cybersecurity firms are based in San Francisco.
They came to Las Vegas to attend Defcon, a conference where hackers exchange tricks of the trade. These two are "White Hats" — people who break into networks to look for flaws and get them fixed.
Here's how Rogers explained the hack: Tesla cars have a cable inside, which maintenance people can access to fix things. "That cable is hidden, in a secret panel," he said, either to the left of the driver or under the touchscreen.
Pop it open, find the cable and plug into it.
"It doesn't immediately give you access to anything," Rogers continued. "You have to do a few special things." Like poke holes in the software and look for bugs, for example.
The team found a few. The first gave them access to the car's network. The second got computers on the network to leak information about "how accounts hang together or maybe about how computers talk to each other," Rogers says.
With a fuller picture of how things work, Rogers and Mahaffey were able to convince computers at Tesla headquarters that their laptop was the car.
"We spoke to Tesla as the car, and essentially requested permission for more information," Rogers continues. Tesla's networks handed over data. The hackers tore it apart, analyzed it and got administrative access to the car.
"Once we had that foothold, we then took over all the computers in the car."
Rogers and Mahaffey then built themselves a back door, a way to control from afar. With that back door, they brought a real-life Model S to a grinding halt.
They made a recording to document their hack. In it, Mahaffey gets into the Model S and puts on "Call Me Maybe" by Canadian singer-songwriter Carly Rae Jepsen.
He drives very slowly through a parking lot. Rogers sends a command, through his iPhone, to shut down the car. And the Tesla stops dead in its tracks. The stereo shuts down, too.
If you happen to own a Tesla, this might not be music to your ears. But the reason it's good news is because, unlike other automakers, Tesla actually has a system in place to fix bugs: regular software updates.
"This is something that seemed completely natural, in the DNA of how you build a connected product," says JB Straubel, Tesla co-founder and chief technology officer. "This is not a new concept in any way, shape or form."
Not new for Tesla, anyway. The company does something called "over-the-air updates," kind of like Apple does for iPhones. Every three months or so, every car gets a free software upgrade. No need to go to the mechanic for it.
The original intent wasn't security. (That's more a nice side effect.)
"It was built to give people content they wanted to use," Straubel says. "And that's still the main function, whether that content is streaming music or streaming maps."
The two hackers emailed Tesla about the bugs they found. Straubel and his team invited them in for a meeting and got details, figuring it's better that Tesla knows before the bad guys do. Tesla says it's sending over-the-air updates to all Model S customers with a patch.
Auto Industry Struggles With IT
Other companies have come under fire recently for not having a user-friendly system in place. Last month an article in Wired magazine described how a driver lost control of his Jeep Cherokee when two hackers remotely took over the car's computers.
In response, the car's manufacturer, Fiat Chrysler Automobiles, recalled 1.4 million cars. Fiat Chrysler also asked Sprint to issue a temporary fix over its network.
Earlier this year, a report by Sen. Ed Markey, D-Mass., found that automakers have fully adopted technologies like Bluetooth and wireless Internet access, but have "not addressed the real possibilities of hacker infiltration into vehicle systems."
The team that hacked Tesla says all carmakers should offer over-the-air updates, and do so free of charge.
"If you require an Internet subscription for the car, maybe 10 percent of people will sign up," says Mahaffey. "That doesn't work."
He and Rogers will present their findings at Defcon on Friday. They also suggest that automakers create a strong separation between the driving and infotainment systems inside vehicles, and build security rigorously into every component (a concept known as "defense in depth").
Ulf Lindqvist manages R&D projects in infrastructure security for SRI International. He says the not-for-profit research center is working with federal regulators on a new effort to help traditional automakers audit the cybersecurity of vehicles and build safer software systems.
"Good things are happening. It's not going to be super fast, but we're getting there," he says.