Image: Windell Oskay/Flickr
As you've no doubt picked up on by now, the future car is, for better or worse, a computer with wheels. You log in to your car with a password to control the digitized features. The car comes with built-in internet and downloadable apps. Toyota's new electric concept is named the "iRoad." As Motherboard's Derek Mead reported from CES this year, the trend is crystal clear: "Every car is going to get smarter and more connected, and no car will be worth its salt unless it's got an app."
There's a lot of cool shit you can do with a smart car. The problem with having an automobile that works just like a computer is it can be hacked just like a computer—in other words, far too easily.
At the Black Hat Asia security conference in Singapore over the weekend, security consultant Nitesh Dhanjani demonstrated just how easily it is to break into and control a vehicle, specifically a Tesla Model S.
Dhanjani focused his research on the all-electric car because it's leading the trend of computerized vehicles. The Model S comes with 3G data and wireless internet, its API is open to third-party developers who are starting to build apps for the car, and the car is remote-controllable via the Tesla iPhone app (screenshot below).
That app is accessed with a six-digit password that Tesla owners set up when they first buy the car. Dhanjani's report spells out how insecure this is, especially since the system doesn't lock you out after numerous incorrect attempts.
It'd take a hell of a long time to try to brute-force the password, but without a lockout, it's not impossible. If that didn't work, a phishing scheme could potentially be successful, Dhanjani explained. Or perhaps a bit of social engineering aimed at Tesla customer service employees or the owner could work. In any case, Dhanjani's point is that if a car has a password, that password can be swiped.
Once in, the attacker would be able to see the car's location, unlock it, and start messing around with the various connected features—relatively innocuous stuff like like draining the battery, honking the horn, or opening and closing the sunroof. But the virtual intruder could also steal valuable data about the owner and track their whereabouts.
“It’s a big issue where a $100,000 car should be relying on a six-character static password,” Dhanjani wrote.
They wouldn't be able to start the car and take off with it, or pull off the terrifying scenario of hacking the car while it's moving; for that to happen, the owner's electronic fob key would need to be present.
Tesla didn't comment on the specific report but said in a statement to Reuters, "We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process."
It's not just Tesla. A spate of internet-enabled automobiles from General Motors are coming off the line this summer, which will make the connected car more mainstream. Right now some 23 million cars on the road globally are connected to the internet in some capacity, according to research firm IHS Automotive, and that’s expected to jump to 152 million by 2020, Time reported.
Researchers have exposed serious security flaws in a variety of vehicles in the past, and as cars get more connected and more automated, the opportunities for an attack grow, and so does the concern—last December, a Massachusetts senator asked automakers to explain how they'll protect against car hacks.
It's no secret that the burgeoning Internet of Things is a potential security nightmare. But as much as no one wants their computer, phone, or smart home broken into, a car takes the risk to the next level. This is the point Dhanjani was trying to make.
"Owners of Tesla as well as other cars are increasingly relying on information security to protect the physical safety of their loved ones and their belongings," he wrote. "Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks. The implications to physical security and privacy in this context have raised stakes to the next level."