Hacking any system as complex as a car requires digging up not just one vulnerability but a series of exploitable bugs that create a path through the target’s maze of defenses. So when researchers at the Chinese firm Tencent revealed they could burrow through the Wifi connection of a Tesla S all the way to its driving systems and remotely activate the moving vehicle’s brakes, they exposed a chain of security problems.
Tesla could have reacted by fixing any one of the bugs to block the attack. Instead, it went further, implementing a more fundamental security feature that will make the next hack of its vehicles more difficult for even sophisticated hackers to pull off.
Tesla added a measure that requires any new firmware written to components on the CAN Bus—the internal network of computers that control everything from steering and brakes to windshield wipers—be digitally signed with a cryptographic key only Tesla possesses. The new protection, known as code signing, was pushed out wirelessly in a software update earlier this month to all Tesla S cars and Tesla X SUVs. It amounts to far tighter control over who can reprogram sensitive components. The upgrade makes Tesla’s in-vehicle security systems less like a malware-prone Windows PC and more like a locked-down iPhone.
Why Your Car’s More Hackable Than Your iPhone
In fact, code signing has been a widespread feature in PCs and smartphones for years. It’s what prevents you from installing an app on your iPhone that didn’t come from Apple’s App Store and triggers the warning about an untrusted application in Windows or MacOS when you install a piece of software downloaded from the web. But as vehicles have become increasing digital, automated and Internet-connected, code signing’s cryptographic trust feature has been conspicuously missing from major automotive vendors’ digital defenses.
Still, major carmakers have resisted recommendations to implement code signing, says Josh Corman, a founder of the Internet-of-things security nonprofit I Am the Cavalry. That’s due in part to their disparate supply chains, dealers, aftermarket tools and mechanics, all of which would be affected if a Detroit giant started requiring the same cryptographic validation of software changes that Apple does. “Tesla’s span of control over its parts and suppliers and dealers may afford a better security response,” says Corman. “Their ability to be nimble is objectively greater.”
How the Tesla S Got Hacked
To understand how code signing stymies car hackers, consider the blow-by-blow of the Tencent hackers’ attack, which they broke down for WIRED in a series of emails. The hackers first dug up a vulnerability in the Tesla S’ browser, which is based on the open source browser framework WebKit. That bug allowed them to start running malicious code in the browser of any Tesla that visited a carefully crafted website.
The Tencent hackers then used another vulnerability in the Tesla’s Linux operating system to gain full privileges on the car’s head unit, the computer in its dashboard. But even then the group couldn’t send commands to critical driving functions like steering and brakes:
A Big Fix For a Big Problem
When Tencent KeenLab team shared its attack technique with Tesla earlier this month, Tesla quickly created patches for the browser vulnerability and the Linux kernel flaw. But it also rushed to fix what CTO Straubel describes as the most serious problem the Chinese hackers exposed: The ability for any hacker who gets deep enough into the vehicles’ systems to rewrite the firmware of the driving components. “The browser vulnerability is not the real issue,” Straubel says. “We felt it was most relevant to respond to the piece that’s the real risk.”