Security Experts:

Tesla Increases Bug Bounty Payout After Experts Hack Model S

Tesla Model S

LAS VEGAS - DEF CON 23 - Shortly after researchers disclosed a series of vulnerabilities found in Tesla Model S, the electric car maker announced increasing its maximum bug bounty payout to $10,000.

Tesla Motors launched its bug bounty program in June. The company initially offered experts between $25 and $1,000 for reporting vulnerabilities in some of its web properties.

The automobile manufacturer announced last week at the DEF CON hacker convention in Las Vegas that it has increased the maximum amount of money it’s prepared to pay out to researchers who find serious security vulnerabilities.

Bounty hunters can now earn up to $10,000 for reporting SQL injection, command injection, and vertical privilege escalation vulnerabilities. According to Tesla’s current bug bounty page on the Bugcrowd platform, the program targets the company’s websites, mobile applications, and hardware (including vehicles and the Powerwall home battery).

This was the second time Tesla was present at DEF CON. The carmaker attended this year’s event to recruit cyber security talent.

Lookout co-founder and chief technology officer Kevin Mahaffey and Marc Rogers of CloudFlare have analyzed a Tesla Model S and identified a total of six vulnerabilities. With initial physical access to the car, the researchers managed to exploit the security bugs to take full control of the vehicle’s infotainment system and perform any action that can normally be carried out from the touchscreen or the mobile app.

The experts managed to remotely open and close the front and rear trunks, lock and unlock the doors, and even start and stop the car.

One of the security issues found by Mahaffey and Rogers was related to the Webkit-based browser installed in Tesla cars. The old version of the browser installed in the most recent vehicles was plagued by several vulnerabilities that have been used to compromise other systems.

The experts also discovered that two of the 30 services accessible on the internal network, namely the HTTP Service and the DNS Proxy, were outdated versions with known vulnerabilities.

The instrument cluster (IC) above the steering wheel and the touchscreen center information display (CID) were running the X Window System (X11) without any form of access control, the researchers said.

The final two security issues identified by Mahaffey and Rogers are related to the car’s firmware. The researchers found the URL used to download firmware updates, which allowed them to conduct an analysis of the firmware. While they didn’t find any private keys in the firmware bundle, they did notice an encrypted password file for the IC. After decrypting this file, the experts determined that several user accounts for the IC had very weak passwords that could be easily cracked.

Within two weeks after being notified by the researchers, the carmaker pushed an over-the-air (OTA) update to every single Model S to addressed some of the vulnerabilities and increase the overall security of the system.

Despite finding several vulnerabilities, Mahaffey says he feels more secure driving a Tesla Model S than any other connected car on the road. The expert says there is some room for improvement, but he believes Tesla engineers have made some very good decisions when it comes to security architecture.

Mahaffey applauded the company for implementing an OTA update process (which makes it easy for the company to distribute software updates without having to recall cars), the properly configured VPN, the fact that onboard account passwords are rotated every 24 hours, and the isolation of the infotainment system from critical vehicle systems.

Tesla is not the only car hacked recently. In July, researchers Charlie Miller and Chris Valasek demonstrated that they can remotely hijack Fiat Chrysler cars by exploiting vulnerabilities in the Uconnect in-vehicle connectivity system. After the researchers disclosed their findings, the carmaker decided to recall 1.4 million cars and trucks to install a software update that addresses the flaws found by Miller and Valasek.

Researcher Samy Kamkar also had an interesting car hacking presentation at DEF CON. The expert detailed some tools and techniques that can be used to steal cars.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.