It’s “the most secure car we’ve ever seen,” said researcher Kevin Mahaffey about the Tesla Model S. He’s co-founder and CTO of the mobile security firm Lookout, and along with CloudFare Principal Security Researcher Marc Rogers, he spent somewhere around 2 years digging through the computerized architecture of the Tesla Model S, looking for vulnerabilities to exploit.
But as relatively secure as the Tesla Model S electric sedan is, it’s not entirely free of vulnerabilities, the two researchers told WIRED magazine. Mahaffey and Rogers did manage to find two potential avenues of access, however, both requiring a physical connection with the car through its onboard Ethernet port.
That makes the Tesla Model S instantly more secure than some Fiat Chrysler offerings which, it was discovered, can be hacked remotely from virtually anywhere.
Once Mahaffey and Rogers had a direct connection to the car’s Ethernet port, they found that so-called “superuser” administrative privileges weren’t too far off. Therefore, the two had some success in “hot-wiring” a Tesla Model S through this networking port. Alternatively, the duo says that when connected to the car, they can plant a remote-access Trojan to allow them back into the system from outside of the car later.
Now, the infotainment screen in the Tesla Model S is connected to all of the car’s primary functions, but only through a “gateway” meant to limit the amount of control held by user inputs. Therefore, Mahaffey and Rogers found that the scope of what they could accomplish via Trojan was, thankfully, limited.
But after working with the two security researchers for several weeks, Tesla Motors has already issued an over-the-air update to address some or all of these risks. A spokesperson for Tesla told WIRED: “Tesla has taken a number of different measures to address the effects of all six vulnerabilities reported by [the researchers]. In particular, the path that the team used to achieve root (superuser) privileges on the infotainment system has been closed off at several different points… [and] the browser has been further isolated from the rest of the infotainment system using several different layered methods.”
But despite the need for an OTA update to fix these security vulnerabilities, say the two researchers, the automaker clearly thought ahead about network security in the Tesla Model S. Mahaffey remarked that other manufacturers should try and follow Tesla’s lead.