By Lynn Walford, AUTO CONNECTED CAR NEWS
November 15, 2020
The nonprofit, nonpartisan Consumer Watchdog released a video showing how a box it built with the help of technologists could hack into the wireless connection of a Tesla and take over the screen with a “This Tesla’s Been Hacked” message.
The group said the demonstration showed how vulnerable the wireless connection in the cars is – by amplifying the signal it could work on many vehicles simultaneously, a large scale hack. Once in control of the screen, a hacker could suggest malware be downloaded, potentially giving them access to the car’s operation and control over the vehicle, or otherwise sabotage the car.
Consumer Watchdog released the video in conjunction with its new report, “Connected Car Report 2020: The Models Most Open To Hacks,” in which it reviews the “Hack 10” of top selling cars.
“Connected Car Report 2020: The Models Most Open To Hacks,” finds all of Car and Driver’s top 10 best-selling cars for 2020 clearly have features that allow wireless connectivity with safety critical systems and no known way to disconnect those systems. This leaves the vehicles vulnerable to an unprecedented, large-scale hack. To prepare the report, Consumer Watchdog reviewed technical specifications and surveyed dozens of sales departments and service technicians at major car manufacturers. The group demon
The report finds all of Car and Driver’s top 10 best-selling cars for 2020 clearly have features that allow wireless connectivity with safety critical systems and no known way to disconnect those systems. This leaves the vehicles vulnerable to an unprecedented, large-scale hack.
“The 2020 fleet is wired for remote start options that connect to safety critical systems wirelessly and leave these cars vulnerable to fleet wide hacks,” said Jamie Court, president of Consumer Watchdog. “The remote start capability is accessed through the same digital systems that control steering, acceleration, and braking — potentially giving hackers control over those as well. Automakers acknowledge to their shareholders that their designs are very vulnerable to malicious hacks at the same time as they promote their wireless start features to the public as a panacea. If Consumer Watchdog can hack a Tesla’s wireless connection from outside the vehicle imagine what mischief a hostile foreign actor could do with exponentially more resources.”
To prepare its “Connected Car Report 2020,” Consumer Watchdog reviewed technical specifications and surveyed dozens of sales departments and service technicians at major car manufacturers.
The nonprofit group found that many dealership employees misrepresented that the safety-critical systems of top selling models are linked online and the dangers of such connections. None of the cars came with an apparent method to disconnect the car from the wireless connection.
When safety critical systems – brakes, engine, steering – are connected wirelessly there is the possibility of that connection being hacked on a fleet-wide basis. This danger is outlined in Consumer Watchdog’s previous report, “Kill Switch: Why Connected Cars Can Be Killing Machines and How To Turn Them Off.”
The group reserved its grand prize of “Most Hackable Car” for Tesla based on its history of hacks, outlined in the “Connected Car Report.”
For example, in July 2017, Tesla CEO Elon Musk professed that the biggest danger of autonomous car technology was a “fleet wide hack.” In August 2020, it was reported that just months before that 2017 statement Tesla had faced a fleet wide hack, but failed to reveal it to the public or regulators. Instead, it paid the discoverer of the problem to kept the incident quiet.
The company also faced a series of hacks by Keen Labs, a prolific hacker group based in China.
Unlike “white hat” hackers that disclose their findings privately to the company in exchange for payments, called bug bounties, Consumer Watchdog did not contact Tesla about the vulnerability it found. The consumer group said that the point of the hack was to show that Tesla’s failure to commit to security by design puts the public at risk and it should have to face that fact in the light of public scrutiny.
Tesla has dismantled its North American public relations department and does not even have a liaison to the public to address safety concerns.
Consumer Watchdog tweeted at Elon Musk “Hey Elon. Hacked your Tesla. Can you figure out how?”
“Elon Musk will either figure out how we hacked the Tesla and patch the problem or he can drive his Tesla down to our office and we will show him how we did it in person on his car,” said Court. “The point is that Tesla’s system is insecure by design and puts the public at risk. Musk and the car industry need to pay attention to the risks. As we say in the video, we could have amplified the signal and performed the same hack on many Teslas simultaneously. It is inherently dangerous to have unsecured wireless connections to safety critical systems in cars.”