For those who dream of connected cars, the reality may be that cars are a bit too connected.
In less than two minutes, ethical hackers from the French cybersecurity company Synacktiv broke into a Tesla Model 3’s gateway and infotainment subsystems. The Synacktiv team highlighted their accomplishment by substituting their logo for Tesla’s on the infotainment screen.
Additionally, they were able to completely access the car using an Ethernet network. For safety reasons, they compromised the Tesla’s head unit, which controls the navigation and entertainment systems, and not the complete vehicle.
But this was no idle exercise; the team won $350,000 and — you guessed it — a brand-new Tesla Model 3. The event was held last week at the Pwn2Own 2023 hacking conference held in Vancouver, British Columbia. The Japanese cybersecurity firm Trend Micro organized the event, which runs bug bounty programs that pay white hat hackers who seek vulnerabilities and alert automakers and suppliers of the glitches.
How bad was the hack?
Synacktiv’s white hat hackers compromised the energy management system of the Model 3 that coordinates communication between a Tesla and the Tesla Powerwall backup electrical system. The Tesla’s head unit was completely hacked by their breach, enabling Synacktiv to unlock the car’s doors and trunk while it was moving.
A Tesla security response team in Vancouver monitoring the hack confirmed the intrusions. The EV maker is expected to fix the bugs via an upcoming over-the-air update, according to online reports.
Of course, this hack is nothing new. A security expert was able to open the doors and turn on the electric motor of the Tesla S and Y models in 2022.
Tesla is not alone
But all automakers are at risk of being hacked. Consider Ferrari.
A ransomware assault that revealed customer data struck the Italian sports car manufacturer Ferrari. It’s unclear when the hackers approached Ferrari with a ransom demand, nor did Ferrari disclose the sum. The manufacturer alerted law enforcement and is looking into the incident with a major cybersecurity firm.
However, the issue is pervasive. Seven security researchers were able to hack into 16 automakers’ systems earlier this year, giving them power over not only car operations but also the ability to start or stop an engine. Telematics systems, automotive APIs (which allows apps and autos to chat with one another), and infrastructure were among the systems hacked.
Vehicles manufactured by Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce and Toyota were among those affected. Once the systems were breached, the automakers were contacted, and the software holes fixed with software updates.
But what they accomplished was worrisome. They started and stopped engines, locked and unlocked doors, honked horns, flashed headlights, and precisely located of Acura, Honda, Kia, Infiniti and Nissan vehicles while retrieving names, addresses, phone numbers, and email addresses of the vehicles’ owners. They could even change a vehicle’s ownership. These are just some of the problems found, as all makes mention had weaknesses.
And it was done using each car’s Vehicle Identification Number, which is clearly visible through the windshield.
But not all of the vulnerabilities were due to automakers’ software, some came though satellite radio company Sirius XM’s Connected Vehicle Services. In addition, researchers were able to breach Spireon fleet management software, allowing the hackers to shut off starters for ambulances, and police vehicles.
Researchers contacted the companies, who have since issued patches to fix the problems.
An easy target
Automobiles have proven to be an easy target for hackers as the auto industry stuffs their vehicles with an increasing number of software programs, connectivity features, sensors and computers that run everything from infotainment to powertrains. What’s worrisome is that the automakers spend considerably less on friendly hackers to find software vulnerabilities than other sectors do.
According to the 2022 Hacker-Powered Security Report, internet and online services paid friendly hackers $13.1 million in 2022, while computer software companies spent $8.7 million, financial service providers paid $3.4 million and retailers paid $1.4 million. Automakers spent a relatively paltry $483,809.
Perhaps this is why, according to Israeli cybersecurity firm Upstream, publicly reported auto hacks skyrocketed 239% in 2022 compared to 2018.
It’s an issue overdue for greater attention by automakers.