Let’s make the teen Tesla hack a teachable moment

Tesla closes 2021 on a high note by besting expectations in Q4
January 29, 2022
Tesla is selling a microphone for in-car karaoke, but only in China
January 30, 2022
Tesla closes 2021 on a high note by besting expectations in Q4
January 29, 2022
Tesla is selling a microphone for in-car karaoke, but only in China
January 30, 2022

The buzz about 19-year-old Tesla hacker David Colombo is well deserved. A flaw in third-party software allowed him to remotely access 25 of the world’s leading EV manufacturer’s vehicles across 13 countries. The hacker shared that he was able to remotely unlock the doors, open the windows, blast music and start each vehicle.
The vulnerabilities he exploited aren’t in Tesla’s software, but in a third-party app, so there are some limits to what Colombo could accomplish; he couldn’t do anything in the way of steering or speeding up or slowing down. But he was able to open the doors, honk the horn, control the flashlights and gather private data from the hacked vehicles.

EVs are fun. They are superbly connected, constantly updated and offer a great user experience, but they are cars, not mobile phones. Assaf Harlel


For cybersecurity pros, such remote code execution or stealing app keys is a daily occurrence, but my hope is that we don’t become so desensitized to breach disclosures that we miss the opportunity to use this one as a teachable moment to educate stakeholders across the connected car ecosystem.
This compromise is a cybersecurity hygiene 101 issue, and frankly, a mistake that shouldn’t happen. The third-party software in question may have been a self-hosted data logger, as Tesla suddenly deprecated thousands of authentication tokens the day after Colombo posted his Twitter thread and notified them. Some other Twitter users supported this idea, noting that the default configuration of the app left open the possibility of anyone gaining remote access to the vehicle. This also tracks with Colombo’s initial tweet claiming the vulnerability was “the fault of the owners, not Tesla.”
Recent automotive cybersecurity standards SAE/ISO-21434 and UN Regulation 155 mandate automakers (aka OEMs) to perform threat analysis and risk assessment (TARA) on their entire vehicle architecture. Those regulations have made OEMs accountable for cyber risks and exposures. The buck stops there.
It is somewhat awkward that a sophisticated OEM such as Tesla oversaw the risk of opening up its APIs to third-party applications. Low quality apps may not be well-protected, enabling hackers to exploit their weaknesses and use the app as a bridge into the car, as the case seemed to be here. The integrity of third-party applications lies with automakers: It’s their responsibility to screen those apps, or at least block the interface of their APIs to non-certified, third-party app providers.
Yes, consumers have some accountability to make sure that they download and update apps frequently from app stores that are endorsed or inspected by their OEMs, but part of the OEMs’ responsibility is to identify such risks in its TARA process and block the access of unauthorized apps to their vehicles.
We at Karamba Security conducted a few tens of TARA projects in 2021 and saw wide variety in the security preparedness of OEMs. Yet they all place the utmost importance on identifying as many risks as possible and to address them before production, in order to maintain customer safety, and to comply with the new standards and regulations.
Here are the best practices that we recommend OEMs employ:
Our advice to consumers is to strictly avoid downloading apps which do not reside on the OEM’s store. As tempting as it may look, such apps can expose the driver and passengers to extreme cyber and privacy risks.
EVs are fun. They are superbly connected, constantly updated and offer a great user experience, but they are cars, not mobile phones. Hacking into vehicles endangers driver safety and privacy.

source

Colton R
Colton R
Colton is an entrepreneur in every sense of the word. His passion is to truly help others, whether it’s a local business looking to get ahead, or a non-profit that serves others.

Leave a Reply

Your email address will not be published. Required fields are marked *