As reported by ComputerWorld: Electric carmaker Tesla Motors wants security researchers to hack its
vehicles. In coming months, the Silicon Valley based high-tech carmaker
will hire up to 30 full-time hackers whose job will be to find and
close vulnerabilities in the sophisticated firmware that controls its
cars.
"Our security team is focused on advancing technology to secure connected cars," a company spokesman said via email. The focus is on "setting new standards for security and creating new capabilities for connected cars that don't currently exist in the automotive industry. The positions are full time, and we will have internship opportunities as well."
Tesla's cars are among the most digitally connected vehicles in the industry with the battery, transmission, engine systems, climate control, door locks and entertainment systems remotely accessible via the Internet.
So the company has a lot at stake in ensuring that the connectivity that allows its vehicles to be remotely managed doesn't also provide a gateway for malicious hackers.
Security researchers have already shown how malicious attackers can break into a car's electronic control unit and take control of vital functions including navigation, braking and acceleration.
In 2013, two researchers at the Defense Advanced Research Projects Agency (DARPA) showed how they could take control of a vehicle through the controller area network (CAN) used by devices in a car to communicate with each other. The researchers showed how attackers could send different commands to a car and cause it to brake or accelerate suddenly or jerk its steering wheel in different directions.
In that study, the researchers needed physical access to the CAN bus to carry out the attack. However, researchers have noted that similar attacks can be carried out wirelessly by accessing the CAN bus through Bluetooth connections, compromised Android smartphones and vehicle tracking and navigation systems like OnStar.
Such concerns have begun gaining wider attention with the federal government's plans to require all vehicle manufacturers in the U.S. to incorporate vehicle-to-vehicle (V2V) communications capabilities in all light vehicles over the next few years.
The goal is to have a standard in place that would allow vehicles to automatically exchange information, such as speed and location data, with each other, with a view to avoiding collisions.
In a notice in the Federal Register this week, the National Highway Safety Traffic Administration (NHSTA) said it was seeking comments on the privacy and security implications of V2V technology.
"Some crash warning V2V applications, like Intersection Movement Assist (IMA) and Left Turn Assist (LTA), rely on V2V-based messages to obtain information to detect and then warn drivers of possible safety risks in situations where other technologies have less capability," the agency noted.
Tesla has been among the most proactive carmakers in addressing potential security threats. It was the only automaker to attend the recent Def Con security conference in Las Vegas, where a security executive took the opportunity to promote the company's responsible vulnerability reporting program and to recruit new team members.
The company says it has a policy of not taking legal action against security researchers who hack into its in-car systems so long as they comply with its responsible disclosure practices, which include full vulnerability disclosure and good faith efforts to avoid data destruction and privacy violations. It offers a bounty to hackers who help uncover particularly serious flaws in its firmware.
Tesla even maintains a security researcher hall of fame listing the names of about 20 researchers who have so fair reported confirmed vulnerabilities to the company.
"Our security team is focused on advancing technology to secure connected cars," a company spokesman said via email. The focus is on "setting new standards for security and creating new capabilities for connected cars that don't currently exist in the automotive industry. The positions are full time, and we will have internship opportunities as well."
Tesla's cars are among the most digitally connected vehicles in the industry with the battery, transmission, engine systems, climate control, door locks and entertainment systems remotely accessible via the Internet.
So the company has a lot at stake in ensuring that the connectivity that allows its vehicles to be remotely managed doesn't also provide a gateway for malicious hackers.
Security researchers have already shown how malicious attackers can break into a car's electronic control unit and take control of vital functions including navigation, braking and acceleration.
In 2013, two researchers at the Defense Advanced Research Projects Agency (DARPA) showed how they could take control of a vehicle through the controller area network (CAN) used by devices in a car to communicate with each other. The researchers showed how attackers could send different commands to a car and cause it to brake or accelerate suddenly or jerk its steering wheel in different directions.
In that study, the researchers needed physical access to the CAN bus to carry out the attack. However, researchers have noted that similar attacks can be carried out wirelessly by accessing the CAN bus through Bluetooth connections, compromised Android smartphones and vehicle tracking and navigation systems like OnStar.
Such concerns have begun gaining wider attention with the federal government's plans to require all vehicle manufacturers in the U.S. to incorporate vehicle-to-vehicle (V2V) communications capabilities in all light vehicles over the next few years.
The goal is to have a standard in place that would allow vehicles to automatically exchange information, such as speed and location data, with each other, with a view to avoiding collisions.
In a notice in the Federal Register this week, the National Highway Safety Traffic Administration (NHSTA) said it was seeking comments on the privacy and security implications of V2V technology.
"Some crash warning V2V applications, like Intersection Movement Assist (IMA) and Left Turn Assist (LTA), rely on V2V-based messages to obtain information to detect and then warn drivers of possible safety risks in situations where other technologies have less capability," the agency noted.
Tesla has been among the most proactive carmakers in addressing potential security threats. It was the only automaker to attend the recent Def Con security conference in Las Vegas, where a security executive took the opportunity to promote the company's responsible vulnerability reporting program and to recruit new team members.
The company says it has a policy of not taking legal action against security researchers who hack into its in-car systems so long as they comply with its responsible disclosure practices, which include full vulnerability disclosure and good faith efforts to avoid data destruction and privacy violations. It offers a bounty to hackers who help uncover particularly serious flaws in its firmware.
Tesla even maintains a security researcher hall of fame listing the names of about 20 researchers who have so fair reported confirmed vulnerabilities to the company.