Cryptographically securing over-the-air updates to cars: Code-signing on Teslas

A few weeks ago, security researchers at Keen security lab, China based Tencent’s security research arm used a vulnerability in WebKit, a widely used  open source browser framework, to trick a Tesla Model S that connects with a malicious hotspot into downloading a malicious payload. Then, they used a second vulnerability in the version of Linux that Tesla uses, to gain full privileges to the head unit. Finally, they overwrote the firmware in a “gateway” that separates the head unit from the CAN bus – which can be used to control key car operations – to defeat the security mechanism therein that allows only a small set of whitelisted commands to be sent from the head unit to the driving systems. Ultimately, this allowed them to remotely activate the vehicle’s brakes.

It wasn’t too long ago that the worst that could come out of a vulnerability in a browser was an end user’s PC being compromised. Interestingly, Tesla’s fix for the problem – was to ship “code signing” as part of a firmware update so that further update to components on the vehicle’s CAN bus require a  cryptographic key that only Tesla holds. ‘

This is the right approach to solving the problem, and one that Tesla CTO J.B. Straubel correctly says should become a standard in the auto industry. Interestingly, IBM Lotus Notes had code signing for updates in Release 1, shipped in 1989!

As cars get more connected and autonomous, the stakes on getting security right are high. Security for cars is catching up to security for other connected consumer devices with decades old attack vectors and decades old security mechanisms being brought back into play. Interesting times!