DEF CON 23 It takes guts to own up to your mistakes and Tesla’s CTO showed plenty when he arrived on stage at DEF CON to personally thank the hackers who uncovered six serious vulns in the Model S sedan.
JB Straubel was a surprise sight at the event as Kevin Mahaffey, CTO of mobile security firm Lookout, and Cloudflare’s principal security researcher Marc Roger, explained to the assembled throng of hackers how they had pwned the Model S.
As Tesla's CTO was a newby at the show the organizers made him take what has become the traditional shot of spirits during the confab.
The flaws allowed the attackers to get root access to the Tesla’s computer systems, enabling a malefactor to remotely lock and unlock the car, fiddle with the entertainment systems, substitute data on the driver’s instrument panels, or apply the emergency brake if the car was travelling at under five miles per hour.
Straubel thanked the duo for their work on the vehicle and for flagging it up to him. He also presented them with “Challenge Coins”, which will be given to any researcher who finds a serious security hole in an Elon Musk jalopy.
Tesla's CTO also announced that the company planned to increase the value of its bug bounty program. The scheme, launched in June, had paid out a maximum of $1,000 for a serious flaw. That figure has now ballooned to $10,000, but to get the big payout you’ve got to find a command injection flaw or a vertical privilege escalation.
Musk's firm also used the Las Vegas hacking convention to appeal for security experts to work at Tesla and strengthen its IT systems. The company had a dominant presence at the show, with a Model S on display and a direct appeal to hackers to come onside.
Somewhat impromptu, but seemingly sincere
There were a lot of car hacks on display at Black Hat and DEF CON this year, including the minor, the inventive, and the downright dangerous. It’s clear that as cars are getting smarter hackers are increasingly looking for ways to subvert their systems, with real success.
So far Tesla is the only car maker to offer a bug bounty program, even though it was extremely frugal by the standards of Google or Microsoft. But other motor manufacturers should take note; the hackers are coming for them and – as Chrysler has found out – the results can be costly and embarrassing. ®