There was a “car hacking” area at Defcon 23 last week, where Tesla proudly displayed their brand and a new Model S. While there were a couple of other vehicles at the show (in various states of having their electronics torn down), the buzz was all about Tesla.
The Model S was hacked, and that was big news at the conference. After the hack, Tesla fixed the vulnerabilities and delivered patches to their vehicles using an Over The Air (OTA) update. With OTA, drivers didn’t need to bring their vehicles in for service or worry about managing software upgrades; updates happened automatically.
By being an active participant at Defcon, Tesla is showing how to build a positive, trusting and productive relationship with white hat hackers. When the hackers called Tesla with the vulnerabilities, Tesla quickly responded. As a result, they now have a more secure system and better separation between core car systems (engine, brakes, etc.) and the infotainment functions. The differences between Tesla’s approach and the Jeep approach are pretty stark.
Manufacturers across industries should take note of Tesla’s engagement of the Defcon community as a model to follow. Companies need to engage and build trust with white hat hackers if they are to fully utilize the knowledge and expertise the community offers.
The Model S is just one example of a Thing connected to the Internet – an IoT device. A Tesla is a big-ticket item, with serious implications if it is compromised. From that perspective, Tesla’s investment in back-end infrastructure and OTA systems makes a lot of sense. Similar infrastructure should be in place for other IoT devices, but is often not.
Take IoT baby monitors, for example. None of the products tested at Defcon met even a minimal level of security, including several products that lack encrypted video and audio feeds. The problem is that a baby monitor is an inexpensive device (compared to a Tesla), and the economics make it harder to justify large investments in security and back end systems. This is a problem (and opportunity) the industry needs to address. Some security frameworks are emerging, but we don’t yet have a comprehensive approach. Until we do, we will see more IoT hacks. While they may not get the media attention the Tesla hack got, in many ways they are just as serious and are more difficult to fix.
We need to get to a place where more IoT vendors are proud to display their brands at Defcon (and other security conferences) because they understand the importance of security and are willing to engage positively with hackers. Perhaps next year, we will see many more companies alongside Tesla at Defcon, proudly displaying their brand.