Tesla Hacking: Cyber-Security Learnings and Insights of Connected Cars

Samuel Lv | Keen Security Lab, Tencent

Keen Lab: It is all about SECURITY!

5 11

PC/Mobile Operating Systems

PC/Mobile Applications

Cloud Computing/Virtualization/Web

Connected Car/IOT Devices

Tesla deserves full of respect for responding the hacking case in an efficient approach

Learnings from Tesla Hacking Case

1. Respond BIG Security Issue at CXO Level

JB Straubel (Telsa CTO) credits Keen Lab’s researchers for

kickstarting Tesla’s move to push out its code signing

upgrade.

“They did good work. They helped us find something that’s a

problem we needed to fix. And that’s what we did.”

Tesla Product Team

IssueReproduced

Update Developed

Update Tested

DevelopmentPractices Updated

1.5 Hours

10 Days

90% Updated in 3 days, New code Signing Mechanism

2. Exhausted Efforts on Quick Fixing

3. Appreciation, Recognition and Rewards

Grant the highest reward to Keen Lab in Tesla history

Cyber-Security Insights of Connected Cars

2015.7 FCA JEEP was hacked remotely by hackers. The hackers demonstrated unauthorized remote controls to JEEP. Security vulnerabilities of different modules, including TSP, Telecom Network, Head Unit etc. were reported to Chrysler. Impact: FCA recalled 1.4 million of JEEP sold in North America.

2015.7 Hackers hijacked OnStar mobile APP and demonstrated unauthorized remote controls such as unlocking door, starting engine, tooting horn etc. The issue was related to the security vulnerability in OnStar mobile APP and TSP modules.Impact: OnStar released an urgent security fix.

2016.2 Nissan LEAF EV car mobile APP was hijacked. The hacker realized unauthorized remote controls to switch on the air-condition, flash lights etc. Security vulnerabilities in LEAF mobile APP and TSP modules caused the issue. Impact: Nissan temporarily shut down the remote control services from TSP.

2016.9 Keen Lab first time worldwide built the full attack chain to prove that Tesla could be hacked remotely and realized unauthorized remote controls in both parking mode and driving mode. The full attack chain successfully exploited the security vulnerabilities in in-vehicle browser, head unit OS, CAN gateway, CAN protocols and critical ECU modules. Impact: After getting Keen Lab’s detailed disclosure, Tesla issued a bunch of urgent patches within 10 days and pushed the patches to variant models of Tesla cars worldwide.

1. Cyber-Security, a Big Challenge to Connected Car OEMs

2. Easy to Attack, Hard to Hold!

CAN BUS & ECUs

Infotainment OS

IV APPs

OBDII

WiFi Hotspot

BlueTooth

USB

T-Box

Gateway

BT Key

OEM TSP

3rd party CP Services

OEM backend Services

Internet Services/Content

Mobile APP User Portal

Charging Station

ADAS

V2X

N Attack Surfaces

1

2

3

4

5

6

7

8

10

11

12

13

14

15

16

9

Security Needs Holistic View!

3. Product Security and Security Protections/Policies are Both Important

TESLA: All about VUL/EXP

Cellular/Wifi

Multiple vulnerabilities with exploits to get code execution ability

Vulnerability with exploit to escalate system privilege and disable AppArmor to get Linux ROOT permission

Bypass code integrity check and patch gateway firmware

Send malicious CAN messages on arbitrary CAN channels

Cellular: Phishing with malicious URLsWifi: Malicious hotspotBrowser auto connect behavior

CellularNo segmentation of cellular network and automotive network

No access control implemented for D-Bus service access, and no restrictions of D-Bus arbitrary command execution

Browser

LinuxKernel

Gateway

CAN

D-Bus Service

QNXKernel

Gateway

CAN

Vulnerability with exploit to escalate system privilege to get QNX ROOT permission

Patch gateway firmware by redirecting update source from USB to a malicious location

Send malicious CAN messages on arbitrary CAN channels

FCA JEEP: Security Policy Issue & VUL/EXP

4. OTA is Essential to Connected Cars,And Security of OTA is Also Critical

Provider’s Modules

Is a BLACKBOX to OEM!

5. Tie-1/2 Providers Play Key Roles of Cyber Security

从这里出发：关注好安全建设的四要素

Knowledge & Expertise

Engineering Mechanism

MitigationTechnologies

Policies & Processes

Right people do right things

Prevention has lower cost

Raise the cost of attacks

Be quicker than attackers

6. Security Will Become Fundamental Capability to OEMs and Providers

Cyber-SecurityManagement

Concept Phase

Product Development

Production Operation

SupportingProcess

• Creating Cyber-security culture

• Establish Cyber-security engineering process

• Develop security training

• Expand field monitoring process

• Identify the important assets and risks

• Threat Modeling• OCTAVE• STRIDE• DREAD• ATA

• Create Cyber-security Plan

• Beginning preliminary Cyber-security assessment

• System Level, Hardware Level and Software level

• Engineering teams identify detailed Cyber-security requirements

• Apply Cyber-security assessment

• Red Team Versus Blue Team

• Penetration test• Check list

• Applying a CybersecurityProcess together with a Safety Process

• Monitor field for Cyber-security issues

• Include Security Update process and tools through maintenance and care

• Follow an incident response plan for Cyber-security issues

• Supplier is capable of producing Cyber-security-critical features

• Agree to the Cyber-security work products

• Gate review at key milestones

• Report to each other for Cyber-security issues

• Responsible to fix the issues

Systematic Thinking of Cyber-Security Management

Design Phase Develop Phase Test Phase Release

Security Infr and Threat modeling• IV Connectivity Modules• TSP Modules• Communication Mechanisms • Encryptions & Decryptions• Secure OTA Architecture• Etc.

Security service to Tier 1:

• IV Connectivity Modules• TSP Modules• Mobile APP Modules• Encryptions & Decryptions• Etc.

Assist to achieve Security Best Practice according to SDL• Secure Coding Best Practices• Security Requirements /

Standards to Tie-1 Providers

Security Capacity transfer:

• Attacks & Defenses 101 Trainings to IT engineers & Developers

Security Capacity transfer:

• SDL Management Framework Trainings

• SAE J3061 Practices Trainings

Security Code Review:

• Native code review• Web code review

Security Pen Test:

• IV Connectivity Modules• TSP Modules• Mobile APP & User Portal

Modules• Communication Mechanisms • Encryptions & Decryptions• Hardware gateway/firewall

Modules• System Upgrade Security

Incident Response:

• Technical Analysis on security incidents

• Technical Advisory on mitigations and protections

Product Security Services: Security in Full Product Lifecycle

Not Only Product Security, But Protections...

乐固乐固 大禹产品 主机防护 天御产品

移动安全培训 云端渗透

测试

Web安全攻防培训 汽车信息

设备渗透

APP渗透测试

手机渗透测试

汽车信息安全培训

汽车信息安全咨询

跨站，注入等 云接口测试 传输通道安全

OWASP 实际案例展示

4 CCommunication - 沟通Cross-Domain - 跨界Collaboration - 合作Convergence - 融合

Tencent Automotive Industry Business Solutions & Eco-System

Cloud Computing & Big Data & AI

Carlink & Self-Driving

SSO User Account Platform

LBS, Map & Navi

Social & Online Marketing

Connected Car Security

Investment on Smart Transportation

Voice, Image & Facial Recognition