Cybersecurity expert explains why Tesla's cars are some of the toughest to hack

Advertisement

Tesla Supercharger

AP/Sam Mircovich

A Tesla Model S charges at a Tesla Supercharger station in Cabazon, California.

A cybersecurity expert says that Tesla's cars are some of the toughest to hack, even though they are among the most connected cars on the road.

Advertisement

"Tesla is on the path to be the most secure car," David Kennedy, the CEO of TrustedSec, told Tech Insider. "I don't think that they're there yet, but I think they're definitely striving for it."

As a white hat hacker who works with three major auto manufacturers, Kennedy has a better view than most into how cars can be exploited or manipulated remotely. He told TI that car hacking is rather trivial for many models, since most use an old technology that never had security in mind.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

But that's not true for Tesla, which considers itself a technology company first, car company second.

"Tesla has a different approach, and it's completely the opposite way [from other manufacturers] because they are a newer company," he said. "It doesn't have all these hundreds of years of manufacturing processes they kind of go off."

Advertisement

The company's different approach starts with hiring hackers. Tesla said in 2014 it was hiring dozens of security researchers to test its cars, and right now, about 40 or so employees are dedicated to information security.

"Given the cutting edge nature of our technology, the security team constantly reviews and identifies new methods to defend our systems and protect our customers," a Tesla spokesperson told TI.

Though it's not just Tesla's own hackers trying to find holes in its cars or mobile apps. There are plenty of outsiders who are happy to point out vulnerabilities in exchange for a cash prize through its bug bounty program, which it started in 2014.

Security researchers can score anywhere from $100 to $10,000 if they find a bug in one of Tesla's cars, its app, or websites. According to the BugCrowd website, at least 135 bugs have been found so far.

Among hacks that were reported and quickly fixed: The ability to perform any action an owner could do through the touchscreen or app, which includes unlocking doors, or starting and stopping the car. That's a sharp contrast from how Nissan reacted when its own app was found with similar issues. Instead of fixing it, the company shut it down.

Advertisement

tesla model s redesigned

Tesla Motors

The approach makes Telsa unique among car companies that have struggled in recent years to proactively secure vehicles from cyber attack, especially as they become more connected every year. Among the automakers TI spoke with, only General Motors mentioned specific security protocols that its cars undergo.

GM also has a bug bounty program, though it doesn't pay any cash rewards.

"I definitely think in the future it will become a major front of attack," Kennedy said of criminals or other bad actors hacking cars. One theory he floated was that cybercriminals might one day adapt ransomware - software that holds computers hostage for money - to work on cars.

While Kennedy offered high praise for Tesla's security practices, he cautioned that "it only takes one hole for a hacker to exploit." In the case of Tesla, he said, an attractive target would probably be its central server, where all of its cars connect with to download software updates.

Advertisement

"Tesla is essentially running some of the core security principles we want to see in a car, but," Kennedy said. "If I hacked the main server infrastructure, I could take all of the Teslas off the road."

A Tesla spokesperson didn't offer any response when asked about that possible vulnerability. But with 40 or so employees dedicated to security in a company that constantly stress-tests its own systems, it's probably easier said than done.