Are computers leaving cars vulnerable to hacking?
The proliferation of in-car electronics could leave motorists open to cyber-mischief
Security researcher Nitesh Dhanjani was alarmed to find that his Tesla Model S could be accessed and controlled through a smartphone app
We have become so used to the rise and rise of electronic gadgets in our cars that being blasé about such things has become the norm. Where
once upon a time a push-
button AM radio was considered the bleeding edge of technology, now most buyers won’t even consider a model without a touch-screen, Bluetooth and full smartphone integration.
The current apogee is Apple’s newly-launched CarPlay system which seamlessly integrates the use of everyone’s favourite high-end phone into the dashboard of tour car. Such items are now even becoming de rigeur on the second-hand market, something of a turnabout when it comes to relaibility-centric used buyers. As my own father would (and does) always say, “It’s just more stuff to break”.
Is there something more sinister than mere breakage that should concern us though? Is the proliferation of in-car electronics, and more so, electronics which can talk and communicate with the outside world, leaving car owners open to cyber-mischief?
Certainly, many of the world’s leading experts on cyber-crime believe this to be the case. Recently, it has been demonstrated that some Ford and Toyota vehicles can have their electronic “brains” fooled sufficiently for an outside agent to take over such critical functions as steering and braking. Tesla, that automotive wünderkind, has proven fallible to such attacks in the recent past.
Security researcher Nitesh Dhanjani recently bought himself a Tesla Model S saloon, but was alarmed to find that the car could be accessed and controlled through a smartphone app. That app requires owners only to enter a six-digit password, which is nowadays regarded as the bottom rung of cyber-security.
Worse again, that same password allows access to the app’s website, and when Dhanjani started to explore it from a security point of view, he found that multiple wrong password entries did not lock out the account.
“Given that the only control around the iPhone app is a password, the situation is ripe for potential attackers to steal credentials using phishing attacks. Once credentials are gathered, phishers can easily check the location of the cars for the accounts they have compromised by using the Tesla REST API,” said Dhanjani on his blog.
“Tesla has demonstrated innovation leaps and beyond other car manufacturers. It is hoped that this document will encourage owners to think deeply about doing their part as well as for Tesla to have an open dialogue with its owners on what they are doing to take security seriously.”
Since Dhanjani’s revelation, Tesla has now introduced a lockout function on its website to prevent repeated password attacks, but clearly in a world where our cars can so easily communicate with the world wide web, there are openings for hackers to exploit. Where once we worried about leaving a window open or a door unlocked, now perhaps we should be more concerned about Bluetooth passwords or USB ports.