The buzz about 19-year-old Tesla hacker David Colombo is well deserved. A flaw in third-party software allowed him to remotely access 25 of the world’s leading EV manufacturer’s vehicles across 13 countries. The hacker shared that he was able to remotely unlock the doors, open the windows, blast music and start each vehicle.
The vulnerabilities he exploited aren't in Tesla’s software, but in a third-party app, so there are some limits to what Colombo could accomplish; he couldn't do anything in the way of steering or speeding up or slowing down. But he was able to open the doors, honk the horn, control the flashlights and gather private data from the hacked vehicles.
EVs are fun. They are superbly connected, constantly updated and offer a great user experience, but they are cars, not mobile phones. Assaf Harlel
For cybersecurity pros, such remote code execution or stealing app keys is a daily occurrence, but my hope is that we don’t become so desensitized to breach disclosures that we miss the opportunity to use this one as a teachable moment to educate stakeholders across the connected car ecosystem.
This compromise is a cybersecurity hygiene 101 issue, and frankly, a mistake that shouldn’t happen. The third-party software in question may have been a self-hosted data logger, as Tesla suddenly deprecated thousands of authentication tokens the day after Colombo posted his Twitter thread and notified them. Some other Twitter users supported this idea, noting that the default configuration of the app left open the possibility of anyone gaining remote access to the vehicle. This also tracks with Colombo’s initial tweet claiming the vulnerability was “the fault of the owners, not Tesla.”
Recent automotive cybersecurity standards SAE/ISO-21434 and UN Regulation 155 mandate automakers (aka OEMs) to perform threat analysis and risk assessment (TARA) on their entire vehicle architecture. Those regulations have made OEMs accountable for cyber risks and exposures. The buck stops there.
It is somewhat awkward that a sophisticated OEM such as Tesla oversaw the risk of opening up its APIs to third-party applications. Low quality apps may not be well-protected, enabling hackers to exploit their weaknesses and use the app as a bridge into the car, as the case seemed to be here. The integrity of third-party applications lies with automakers: It’s their responsibility to screen those apps, or at least block the interface of their APIs to non-certified, third-party app providers.
Yes, consumers have some accountability to make sure that they download and update apps frequently from app stores that are endorsed or inspected by their OEMs, but part of the OEMs' responsibility is to identify such risks in its TARA process and block the access of unauthorized apps to their vehicles.
We at Karamba Security conducted a few tens of TARA projects in 2021 and saw wide variety in the security preparedness of OEMs. Yet they all place the utmost importance on identifying as many risks as possible and to address them before production, in order to maintain customer safety, and to comply with the new standards and regulations.
Here are the best practices that we recommend OEMs employ:
Secure the secrets/certificates - this ensures a long list of attacks dependent on successfully impersonating somebody or something else fail (replacing firmware, spoofing credentials, etc.).
Segment Access and functionality (in ways transparent to the user) - even if one point fails, damage is limited.
Test yourself (or set up a bounty program for others to do it) continuously - and fix whatever you find quickly.
Protect against remote code execution attacks by hardening your externally connected systems, such as Infotainment, telematics and onboard charger.
Close up your APIs. Do not allow unauthorized parties to use them. Such practice would have spared the recent attack.
Our advice to consumers is to strictly avoid downloading apps which do not reside on the OEM’s store. As tempting as it may look, such apps can expose the driver and passengers to extreme cyber and privacy risks.
EVs are fun. They are superbly connected, constantly updated and offer a great user experience, but they are cars, not mobile phones. Hacking into vehicles endangers driver safety and privacy.