August 6, 2015

Last week a friend drove me to the airport in his new Tesla. I’d never been in one before so I took the chance to poke around a little. The Tesla Model S has a lot of bells and whistles many cars lack. Most visibly, there is a huge touchscreen computer in the center console which includes a web browser. There is also a built-in 3G or LTE modem so the company can ship over-the-air updates and remotely access and monitor the car.

The first thing I did was visit SSL Labs in the browser to check if the browser’s TLS implementation was up to date.

Tesla’s browser is based on a version of WebKit that was released in 2011. The TLS configuration is completely broken, leaving it open to a variety of attacks that would compromise the authenticity and confidentiality of data transferred. This is a concern when visiting websites, and I’d advise against doing any online banking or private surfing from your Tesla’s browser. But it’s a much bigger concern when you consider what it says about Tesla as a company.

Why cars need to be secure

Vehicles in general and cars in particular should be held to the highest possible standard with regard to security. We trust not only our lives but the lives of everyone else on the road to them every day. As cars become more integrated with computers and transceivers, the possibility for something to go seriously wrong also increases. The most recent and serious example of this so far is the remote takeover vulnerability recently disclosed in Jeeps.

Disclaimer: I don’t own or have regular access to a Tesla, their software is closed source, they don’t ship a software simulator, and any attempt to poke around more deeply might brick a car that starts at $70,000. I’d love to explore more, but I can’t. Here are some (worst case) possibilities that I can’t exclude yet:

The touch screen system controls both entertainment and functional components of the car. Given what we know about car security it’s possible that vulnerabilities in the web browser could be used to pivot out into more critical functions just by visiting a web site.

Tesla can also ship over-the-air updates to cars in the field. I’m immediately curious if their update framework relies on the same TLS configuration as the web browser. If it does, a malicious attacker could tamper with an update and do anything from bricking the car to driving it off the road.

Brown M&M’s

Again, I have no way to determine the extent of the vulnerability, and it’s possible that the Tesla security team fully sandboxed the browser from the start. I’m not optimistic and here’s why:

Van Halen famously had a clause in their performance contract requiring a bowl of M&M candies be provided backstage, but that the brown M&M’s be removed. Like cars, concerts are technically complicated and, if poorly executed, dangerous to the performers.

From David Lee Roth’s autobiography:

Van Halen was the first band to take huge productions into tertiary, third-level markets. We’d pull up with nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through. The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say “Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes …” This kind of thing. And article number 126, in the middle of nowhere, was: “There will be no brown M&M’s in the backstage area, upon pain of forfeiture of the show, with full compensation.” So, when I would walk backstage, if I saw a brown M&M in that bowl … well, line-check the entire production. Guaranteed you’re going to arrive at a technical error. They didn’t read the contract. Guaranteed you’d run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.

If the security of something so basic and so visible to customers is so broken, I’m deeply suspicious about the rest of the car’s security.

Remediation

Tesla can and should make the most secure cars in the world.

They are designed to be digital from the ground up. The company has no legacy products, no overbearing parent company, and is trying to earn the trust of drivers as it presents them with a radical new set of technologies.

The PR costs of bad security alone make it a worthwhile investment and Tesla has a customer base of unusually tech-savvy customers. Companies like Google invest massive amounts of money into the security of their technology, but when Google ships insecure software, very few people die. The stakes for transportation are much higher.

Tesla also has the unusual ability to ship over-the-air updates and immediately fix newly-discovered vulnerabilities in any part of its software. However, there have been zero CVE identifiers issued to or security advisories from Tesla, despite 45 bugs being rewarded by their bounty program.

Here’s how to fix it:

First, open source everything. Tesla cars are remarkably closed today. Their vehicles are also very expensive and there are relatively few on the road. This combination makes it very difficult for security researchers to experiment.

Their current position with closed-source software is particularly at odds with the company’s stated patent philosophy:

Yesterday, there was a wall of Tesla patents in the lobby of our Palo Alto headquarters. That is no longer the case. They have been removed, in the spirit of the open source movement, for the advancement of electric vehicle technology. We believe that applying the open source philosophy to our patents will strengthen rather than diminish Tesla’s position. — Elon Musk

Second, Tesla should modernize their security bounty program. Bounty programs are important for vendors because they encourage both research and coordinated disclosure. Surely Tesla wants newly discovered vulnerabilities reported to them first instead of at DEF CON or sold to the highest bidder by vulnerability brokers.

This isn’t a new idea, at least to Musk:

You want to be extra rigorous about making the best possible thing you can. Try to find everything that’s wrong with it, and fix it. Seek negative feedback, particularly from friends.

Their current maximum payout is $1,000 and specifically excludes issues related to TLS configuration. Compare this to to Google Chrome’s $50,000 and the fact that it costs $70,000 just to get your hands on a Tesla.

Update (2015-08-13): At some point after this post was published, the maximum payout from Tesla was bumped to $10,000.

United Airlines recently started offering security bounties in airline miles. Tesla would attract a massive audience of hobbyist and professional security researchers if they offered Powerwalls or even a Model S in exchange for disclosing critical vulnerabilities.

Tesla wants us to believe that they’re the future of cars. At least when it comes to security, it’s time they start acting like it.

For more details on attacks against Tesla cars, you should read this article detailing some vulnerabilities disclosed today by Kevin Mahaffey and Marc Rogers.

Update (2016-09-27): Researchers at Tencent KeenLab took control of a Model S by chaining vulnerabilities together including one in the car’s web browser.