Dalvin Brown
USA TODAY
Published 6:01 AM EDT Jul 5, 2019
In March, a Tesla Model 3 was hacked.
The duo responsible for uncovering the vulnerability accessed the cars web browser, executed code on its firmware and displayed a message on the infotainment system before making off with the Model 3 and $375,000.
The hackers didn't remotely take total control of the car or wreak havoc on its door locks or brakes while an innocent driver sat inside. In fact, they weren't able to break into any other systems in the electric vehicle, and the cash they collected came in the form of a check from Tesla.
It was all part of a three-day cybersecurity contest called Pwn2Own, an event where Tesla pays top dollar to anyone masterful enough to find previously unknown bugs. Correcting any weakness helps the electric car company protect the people who drive its vehicles, it hopes.
As an increasing number of cars become hi-tech computers on wheels, experts say that vehicles — like everything else that connects to the internet — are inherently hackable. That means every smart car could theoretically be broken into and controlled on some level by savvy hackers, criminals or worse.
While unrealized threats exist, automakers' efforts to protect motorists are extending beyond hiring experienced internal security teams.
Don't take the A train: Google Maps can now warn you about how crowded buses and trains are
'Get in the right car':Check out these safety tips before hopping in an Uber or Lyft
For companies like Tesla, that means entering cars in rigorous third-party testing competitions or implementing other so-called "bug bounty programs" to encourage security researchers to actively locate and report any hot spots on the companys hardware.
At face value, encouraging outsiders to search for flaws may appear counter-intuitive. However, not only does the move give skilled hackers a chance to flex their muscle, but it also helps companies like Tesla, GM and others strengthen car security.
"We believe that in order to design and build inherently secure systems, manufacturers must work closely with the security research community to benefit from their collective expertise,” Tesla said in a statement to USA TODAY.
Tesla used a software update to fix the vulnerability found by the “white hat,” or ethical, hackers, which is a benefit as drivers don't have to visit a repair shop or pay fees to get an car's software updated.
Bug bounty programs
Tesla's approach toward plugging access holes began with its bug bounty program in 2014, however, it's not the only automaker that invites hackers to test systems.
Fiat Chrysler has had a bug bounty program in place since 2016 and it pays hackers up to $1,500 each time they discover a previously unknown vulnerability. GM officially rolled out its bug bounty program in 2018 after establishing what it calls the Security Vulnerability Disclosure Program in 2016.
More than 500 researchers have participated in GM's program to identify and resolve more than 700 vulnerabilities.
Ford announced in January that it's selecting top researchers to participate in future special hacking projects.
In order to thwart hackers, automakers and their suppliers are taking multiple approaches to protect cars from all sides, according to Asaf Ashkenazi, chief strategy officer at Verimatrix, a security and analytics software firm.
He said that cars today are in the beginning stages of what he called a three-prong approach to smart car security.
"They are filtering away the obvious attacks from the outside by trying to create firewalls between subsystems," he said. "If one is compromised, the hacker can't move to other systems."
This approach was shown during the Tesla hack as the Palo Alto-based company managed to contain the damage to just the browser while protecting all other vehicle functions.
Remote updates
The next level of protection from automakers is the ability to upgrade and fix issues via the airwaves, Ashkenazi said.
Legacy car companies have lagged behind Tesla's ability to send these smartphone-style refreshes to its customers. The Palo Alto-based company uses the feature to update everything from semi-autonomous driving modes to cheeky Easter eggs or hidden gems.
Teslas for the robotaxi fleet: With every update, owners feel like they got a new car
When responding to bugs, the company has fixed issues through software updates within a few days of discovering vulnerabilities.
Alongside Tesla, some of Ford and General Motor's 2020 models will allow over-the-air updates that can upgrade a vehicle with new features and remotely fix problematic software. GM's 2020 Cadillac CT5 will come with a new "digital nerve system" that makes the updates possible.
In May, GM announced that most of its global models will be capable of over-the-air software upgrades by 2023.
Constant monitoring
The third level of consumer vehicle protection involves having AI detect that a car is behaving differently. That gives automakers a better chance to identify attacks early on, Ashkenazi said.
Third-party software companies like Argus Cyber Security are stepping in help car companies develop and bake-in these types of remote diagnostics capabilities during the production process.
Digital eyes: Where are the cameras in your car and what are they looking for?
"Even if you have real-time protection inside the vehicle, you still need to know that one of your cars is being targeted," said Monique Lance, director of marketing at Argus Cyber Security.
That's where monitoring technology steps in, allowing auto companies to perform cross data analysis and identify suspicious behavior that could otherwise be missed.
