Let’s make the teen Tesla hack a teachable moment

/in


The buzz about 19-year-old Tesla hacker David Colombo is well deserved. A flaw in third-party software allowed him to remotely access 25 of the world’s leading EV manufacturer’s vehicles across 13 countries. The hacker shared that he was able to remotely unlock the doors, open the windows, blast music and start each vehicle.

The vulnerabilities he exploited aren’t in Tesla’s software, but in a third-party app, so there are some limits to what Colombo could accomplish; he couldn’t do anything in the way of steering or speeding up or slowing down. But he was able to open the doors, honk the horn, control the flashlights and gather private data from the hacked vehicles.

EVs are fun. They are superbly connected, constantly updated and offer a great user experience, but they are cars, not mobile phones. Assaf Harlel

For cybersecurity pros, such remote code execution or stealing app keys is a daily occurrence, but my hope is that we don’t become so desensitized to breach disclosures that we miss the opportunity to use this one as a teachable moment to educate stakeholders across the connected car ecosystem.

This compromise is a cybersecurity hygiene 101 issue, and frankly, a mistake that shouldn’t happen. The third-party software in question may have been a self-hosted data logger, as Tesla suddenly deprecated thousands of authentication tokens the day after Colombo posted his Twitter thread and notified them. Some other Twitter users supported this idea, noting that the default configuration of the app left open the possibility of anyone gaining remote access to the vehicle. This also tracks with Colombo’s initial tweet claiming the vulnerability was “the fault of the owners, not Tesla.”

Recent automotive cybersecurity standards SAE/ISO-21434 and UN Regulation 155 mandate automakers (aka OEMs) to perform threat analysis and risk assessment (TARA) on their entire vehicle architecture. Those regulations have made OEMs accountable for cyber risks and exposures. The buck stops there.

It is somewhat awkward that a sophisticated OEM such as Tesla oversaw the risk of opening up its APIs to third-party applications. Low quality apps may not be well-protected, enabling…

Source…