Tesla Model S Hackers Return for Encore Attack A year after successfully hacking the Tesla Model S, the same team repeats their success at the Black Hat conference.

By Max Eddy

This story originally appeared on PCMag

via PC Mag

With a handful of self-driving vehicles already on the road, the car is poised to be the next vanguard for high technology. And Tesla's all-electric vehicles are among the most advanced consumer vehicles on the road.

At Black Hat 2016, researchers from Tencent KeenLab demonstrated how to remotely take control of a Tesla Model S. Tesla quickly patched those vulnerabilities, but the Tencent team returned to Black Hat 2017 with a new slew of Tesla attacks.

Roll back

During their Black Hat session, researchers Ling Liu, Sen Nie and Yuefeng Du explained last year's Tesla hack in detail. Critical to attacking the Model S was the onboard Wi-Fi and 3G radios.

The Wi-Fi in the Model S tries to reconnect with known networks. That's true -- and not great security -- for many devices, but all Tesla vehicles are exposed to the same Wi-Fi network during construction, which has an easily guessed password. From there, the team attacked the vehicle's built-in browser, which they admitted was harder than expected because Tesla had already patched known vulnerabilties.

Using some JavaScript magic, the team elevated the privilege to the top (root) level, attacked the old, out-of-date kernel, bypassed a firmware integrity check and finally installed their own firmware on the gateway system. Once under their control, this critical system was the jumping-off point for the team's work in the Model S. With this level of control, the team could perform dangerous actions even when the car was in motion. Notably, the team also found attack vectors allowing them to gain access through the car's 3G radio.

Tesla fights back

The researchers notified Tesla of their findings, and the company released an update package within 10 days that fixed many of the vulnerabilities in the long, complex chain required to gain control of a Model S.

The researchers praised Tesla, which updated the kernel to a much newer version, making it harder to exploit. Tesla also hardened its browser, with multiple ways to protect vehicle systems even when the browser was compromised. The company also added code signing, which ensures that only legitimate code can be accepted as an update and installed by the vehicle.

Hacking should be fun

But this is Black Hat. The team told the audience that shortly after the Tesla rolled out the new kernel, they found a zero-day vulnerability that allowed them to completely bypass the new code-signing mechanism.

In a video demonstration, the team showed how they were able to use an app to open the doors and trunks of two vehicles. They even demonstrated how they could engage the brakes while the car was in motion, with a Tesla stopping just short of two of the researchers.

But the researchers said they believed hacking should be fun, which is why their grand finale was a syncronized light show using the Tesla's exterior lighting systems synched to music. Flashing patterns covered the vehicle, with the lights clearly operating in a way not intended by the manufacturer. The gull-wing doors even opened and bobbed up and down like rhythmic rabbit years. A member of the research team told the audience that making this light show work properly was very difficult, and required all of the vulnerabilities they had found.

Not quite the tired hoody-and-sunglasses approach to hacking, but definitely a memorable attack.

Max Eddy

Software Analyst

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business News

'Now Accepting Applications': Elon Musk Is Opening a New Preschool in Texas Called Ad Astra. Here's How to Apply.

The school got an official permit last month to operate with as many as 21 students.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

'We're Not Allowed to Own Bitcoin': Crypto Price Drops After U.S. Federal Reserve Head Makes Surprising Statement

Fed Chair Jerome Powell's comments on Bitcoin and rate cuts have rattled cryptocurrency investors.

Business News

A New Hampshire City Was Named the Hottest Housing Market in the U.S. This Year. Here's the Top 10 for 2024.

Zillow released its annual lists featuring the top housing markets, small towns, coastal cities, and geographic regions. Here's a look at the top real estate markets and towns in 2024.

Business Ideas

Is Your Business Healthy? Why Every Entrepreneur Needs To Do These 3 Checkups Every Year

You can't plan for the new year until you complete these checkups.