In 2020, Jacob Archuleta, a researcher nicknamed Nullze, discovered an important information security vulnerability on the web browser of the Tesla Model 3 automobile. If a user of the car’s boarding computer visits a specific website, the entire touchscreen becomes unusable.
The vulnerability was quickly reported to Tesla in accordance with its bug bounty program. Tesla pays bug reporters between $100 and $15,000 for each reported cyberthreat. In February 2020, Tesla quickly addressed the reported bug by releasing a software update version 2020.4.10. Users of Tesla vehicles had the opportunity to install the update immediately or delay the installation for later.
The purpose of this article is to examine the vulnerability discovered by Nullze and provide recommendations on how to protect Tesla cars against similar vulnerabilities.
The vulnerability discovered by Nullze
Nullze found a vulnerability which allowed attackers to trigger the initiation of computer processes that overwhelm the boarding computer of the Tesla Model 3 and cause the entire touchscreen to freeze. The vulnerability is particularly dangerous because it turns off the autopilot notifications, the speedometer, the climate controls, the navigation and other important functions on Tesla Model 3. This may confuse the driver of the car and even lead to car crashes. For example, since the speedometer blocks completely after the attack, the driver may unintentionally overspeed and cause a car crash. The CVSS Version 3 of the US National Vulnerability Database assigned a base score of 6.5 to the vulnerability, which indicates that it is of medium severity.
The attack used to freeze Tesla’s boarding computer is a form of a denial-of-service attack (DoS). This type of cyberattack aims to make a computer unavailable by flooding it with a large number of requests in order to overburden its data processing capacities.
Team Fluoroacetate, a group of two researchers who discovered a just-in-time (JIT) browser bug on Tesla Model 3 in 2019, inspired Nullze to identify the attack vector. Team Fluoroacetate exploited the JIT bug in such a way as to display their own message on the infotainment system. As a reward for finding the JIT bug, Tesla gave to the researchers a Tesla Model 3.
Tesla’s approach regarding bugs on the boarding computers of Tesla cars should be applauded. Although no software is 100% bug-free, the company is actively engaged in testing its software and quickly addresses the identified bugs. The Tesla bug bounty program on Bugcrowd includes a legal safe harbor, allowing security researchers to avoid liability for conducting security investigations.
To benefit from the safe harbor, researchers need to meet a number of conditions, including, but not limited to:
- Provide Tesla with information about the vulnerability
- Make a good-faith effort to avoid privacy violations, destruction of data and interruption of Tesla’s services
- Abstain from modifying or accessing data that does not belong to the security researcher
- Make the information about the bug public only after providing Tesla with reasonable time to address the reported bug
Protection against similar cyberattacks
Individuals willing to protect against cyberattacks similar to the attack discovered by Nullze need to install all relevant information security patches as soon as they become available. Many software applications (including Tesla’s boarding software) provide their users with the option to automatically install security patches or to wait with the installation until a later date. The first option is always preferable, as it will ensure that the security vulnerability will be addressed quickly. The computers of people who choose the second option will remain vulnerable until they agree to install the security patch.
To protect against DoS attacks similar to the one outlined above, users of internet browsers are advised to visit only trusted websites. It is highly unlikely that such websites will include malicious software utilizing browser vulnerabilities.
Many vendors of antivirus malware offer tools allowing their users to evaluate the trustability of websites of their choice. For example, Trend Micro’s Site Safety Center assigns a score to websites on the basis of various factors: indications of suspicious activities, website’s age, changes and historical locations, to name a few. Based on those factors, the Center categorizes each of the examined websites in one of the following three categories: Safe, Dangerous and Suspicious.
This article has shown that even the software of one of the most innovative companies in the world (Tesla) had security vulnerabilities that could have led to car crashes and other accidents.
Pertaining to the consequences of cyberattacks on automobiles, it is worth reminding the readers about an experiment conducted in 2015 during which two computer security researchers located far away from the experimental car (the Jeep Cherokee) succeeded to turn on its radio and increase the volume to the maximum extent, turn on its air conditioning system and activate the windscreen fluids and the windshield wipers. All of this happened while the automobile was in full motion. The driver of the Jeep could do nothing to reverse any of those actions.
The aforementioned observations clearly show that users of automobile boarding computers need to take serious measures in order to avoid cyber incidents. Such measures need to include the regular installation of suitable patches and avoiding suspicious websites.
- Tesla, Bugcrowd
- Tesla Awards Researcher $10,000 After Finding XSS Vulnerability, SecurityWeek
- Vulnerability Exposed Tesla Central Touchscreen to DoS Attacks, SecurityWeek
- CVE-2020-10558 Detail, NIST
- Tesla Model 3 Hack – Disable Entire Tesla Model 3 Interface, Safekeep Security
- Site Safety Center, Trend Micro
- Lim, H., “Autonomous Vehicles and the Law: Technology, Algorithms and Ethics,” Edward Elgar Publishing