Tesla Model S Hackers Return for Encore Attack A year after successfully hacking the Tesla Model S, the same team repeats their success at the Black Hat conference.

By Max Eddy

entrepreneur daily

This story originally appeared on PCMag

via PC Mag

With a handful of self-driving vehicles already on the road, the car is poised to be the next vanguard for high technology. And Tesla's all-electric vehicles are among the most advanced consumer vehicles on the road.

At Black Hat 2016, researchers from Tencent KeenLab demonstrated how to remotely take control of a Tesla Model S. Tesla quickly patched those vulnerabilities, but the Tencent team returned to Black Hat 2017 with a new slew of Tesla attacks.

Roll back

During their Black Hat session, researchers Ling Liu, Sen Nie and Yuefeng Du explained last year's Tesla hack in detail. Critical to attacking the Model S was the onboard Wi-Fi and 3G radios.

The Wi-Fi in the Model S tries to reconnect with known networks. That's true -- and not great security -- for many devices, but all Tesla vehicles are exposed to the same Wi-Fi network during construction, which has an easily guessed password. From there, the team attacked the vehicle's built-in browser, which they admitted was harder than expected because Tesla had already patched known vulnerabilties.

Using some JavaScript magic, the team elevated the privilege to the top (root) level, attacked the old, out-of-date kernel, bypassed a firmware integrity check and finally installed their own firmware on the gateway system. Once under their control, this critical system was the jumping-off point for the team's work in the Model S. With this level of control, the team could perform dangerous actions even when the car was in motion. Notably, the team also found attack vectors allowing them to gain access through the car's 3G radio.

Tesla fights back

The researchers notified Tesla of their findings, and the company released an update package within 10 days that fixed many of the vulnerabilities in the long, complex chain required to gain control of a Model S.

The researchers praised Tesla, which updated the kernel to a much newer version, making it harder to exploit. Tesla also hardened its browser, with multiple ways to protect vehicle systems even when the browser was compromised. The company also added code signing, which ensures that only legitimate code can be accepted as an update and installed by the vehicle.

Hacking should be fun

But this is Black Hat. The team told the audience that shortly after the Tesla rolled out the new kernel, they found a zero-day vulnerability that allowed them to completely bypass the new code-signing mechanism.

In a video demonstration, the team showed how they were able to use an app to open the doors and trunks of two vehicles. They even demonstrated how they could engage the brakes while the car was in motion, with a Tesla stopping just short of two of the researchers.

But the researchers said they believed hacking should be fun, which is why their grand finale was a syncronized light show using the Tesla's exterior lighting systems synched to music. Flashing patterns covered the vehicle, with the lights clearly operating in a way not intended by the manufacturer. The gull-wing doors even opened and bobbed up and down like rhythmic rabbit years. A member of the research team told the audience that making this light show work properly was very difficult, and required all of the vulnerabilities they had found.

Not quite the tired hoody-and-sunglasses approach to hacking, but definitely a memorable attack.

Max Eddy

Software Analyst

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Related Topics

Business News

Red Lobster Changed Its 'Endless Shrimp' Promotion After Losing $11 Million in One Quarter — Now It's Hauling Out Another All-You-Can-Eat Deal

The restaurant chain reported a record $12.5 million operating loss in the fourth quarter of 2023.

Business News

I Tried 3 AI Headshot Generators and There Was a Clear Winner

Aragon AI, Momo, and FastShot AI all generate headshots using AI, but which one actually works for LinkedIn?

Productivity

SMART Goals May Be Holding You Back — Try This Effective Goal-Setting Technique Instead

Everyone suggests SMART goals, but this framework is flawed. Learn why and how to create goals properly — ones that you can actually achieve.

Marketing

Enhance Your Website's Visibility and Dominate Your Competition With These Powerful Techniques

Mastering backlinks and content intent is key to ranking higher on search engines. Our guide can help you learn the right techniques and strategies for improving your backlinks and content quality.

Business Ideas

55 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Leadership

Why Saying "I Don't Know" Makes You a Better Leader

Great leaders do not have all the answers. "I don't know" may come across as three simple, innocuous words, but they do have the power to make business stronger.