Hackers Do the Dirty to Another Tesla Model 3

It’s Elon Musk’s birthday today, so we’ve decided to wish him well and say congratulations on Tesla Motors convincing the U.S. Commerce Department to waive the 10 percent tariff on imported aluminum so it can build more battery cells at the company’s Nevada Gigafactory. However, what would birthday well-wishing be without the all-important pinch to grow an inch?

Another Model 3 has been hacked, this time without the manufacturer’s blessing. We’re equating it to a mild goosing. Regulus Cyber, a company specializing in digital security, decided to give the Tesla (and a Model S) a shakedown by seeing if they could fool the car’s navigational equipment and upset/confuse Autopilot to the point of failure.

Let’s see how they did.

According to Bloomberg, the company purchased some readily available electronics equipment and got to work. Regulus Cyber’s own account, said these items were a $150 Analog Devices ADALM-PLUTO Active Learning Module (for jamming) and a $400 Nuand bladeR (for spoofing). Both of which you can buy online with a valid credit card.

The plan was simple: jam the car from receiving a legitimate GPS signal and spoof the system with falsified data. In the test, Regulus claimed it was able to trick the car into pulling off the highway. While cruising to a previously established location using Autopilot, the firm said it swapped in garbage GPS information that redirected the vehicle to a point 150 meters before an exit it was originally supposed to take.

“The exact moment that the [Model 3] was spoofed to the new location, it passed a dotted white line on it’s [sic] right hand side, leading to a small road into an emergency pit stop,” Regulus said. “Although the car was a few miles away from the planned exit when the spoofing attack began, the car reacted as if the exit was just 500 feet away — slowing down from 60 MPH to 24 KPH, activating the right turn signal, and making a right turn off the main road into the emergency pit stop. During the sudden turn the driver was with his hands on his lap since he was not prepared for this turn to happen so fast and by the time he grabbed the wheel and regained manual control, it was too late to attempt to maneuver back to the highway safely.”

The team set up the Model 3, and affixed a a small antenna to the roof in order to simulate an outside attack. While the company claimed spoofing attacks on the Tesla GNSS/GPS receiver could easily be carried out wirelessly and remotely, it said the roof-mounted wire was put in place to ensure no nearby vehicles would be impacted by the test.

Tesla dismissed these assertions, suggesting that Regulus Cyber had orchestrated the test as a marketing ploy. “These marketing claims are simply a for-profit company’s attempt to use Tesla’s name to mislead the public into thinking there is a problem that would require the purchase of this company’s product,” a Tesla spokesperson said. “That is simply not the case. Safety is our top priority, and we do not have any safety concerns related to these claims.”

The automaker also spoke to Regulus directly, saying that “any product or service that uses the public GPS broadcast system can be affected by GPS spoofing, which is why this kind of attack is considered a federal crime. Even though this research doesn’t demonstrate any Tesla-specific vulnerabilities, that hasn’t stopped us from taking steps to introduce safeguards in the future which we believe will make our products more secure against these kinds of attacks.”

While the test certainly did get Regulus Cyber into the news, and it has a follow-up webinar planned for next month, Tesla’s commitment to safety needs some additional context. Multiple consumer advocacy and automotive safety groups have been critical of Tesla’s Autopilot function for possessing a “misleading” name. The issue has only gotten worse following several fatal incidents involving the system.

Since then, the automaker has tried to be more clear about what the semi-autonomous technology within its vehicles can actually do and updated Autopilot to encourage people to keep their hands on the wheel. It also runs a “ bug bounty program” that rewards white-hat hackers who expose vulnerabilities. However, that appears to be what Regulus Cyber set out to do. Where’s their cash prize?

Perhaps they don’t deserve one. While the subject of this test happened to be a Model 3, it’s not as though they’re the only vehicles that could be impacted by GPS manipulation. Any connected car with advanced driving aids could be, ahem, taken for a ride — so to speak. And so could everyday folks with a bad sense of direction that indisputably trust their GPS.

From Bloomberg:

In a 2018 paper winkingly titled “All Your GPS Are Belong to Us: Towards Stealthy Manipulation of Road Navigation Systems,” researchers demonstrated the possibility that spoofing — substituting pirate signals for those of a GPS satellite — could stealthily send you to the wrong destination.

While they note the threat of GPS spoofing has been discussed as far back as 2001, and that spoofing has been shown to work in other contexts, their experiment was the first to test road navigation systems. The researchers used real drivers behind the wheel of a car that was being told to go to the wrong place.

Some 38 out of 40 participants followed the illicit signals, the researchers said.

“The problem is critical, considering that navigation systems are actively used by billions of drivers on the road and play a key role in autonomous vehicles,” wrote the authors, who hail from Virginia Tech, the University of Electronic Science and Technology of China and Microsoft Research.

While it’s been absolutely proven that Teslas (and most other modern cars) can be hacked, the severity of these events vary quite a bit. Tesla Motors was critical of Regulus Cyber’s use of a small antenna fixed to the car to conduct its test, suggesting that it would be overkill for someone attempting a malicious act, and added that the car did not behave in an unsafe manner after being hacked. There were also gripes over how Navigate on Autopilot was not entirely susceptible to the attack, as it doesn’t use GPS and map data for all functions. A Model S, which was similarly tested, proved more resilient to spoofing attacks — with researchers only able to upset its adjustable suspension.

The security team refuted these claims, saying that trust must be earned by all manufacturers and expressed fears that cyber attacks will become increasingly dangerous as more cars are networked. It also scoffed at Tesla’s mention of future safeguards, saying that there’s an issue needing to be solved today.

“The more GPS data is leveraged in automated driver assistance systems, the stronger and more unpredictable the effects of spoofing becomes,” said Yoav Zangvil, Regulus Cyber CTO and co-founder. “The fact that spoofing causes unforeseen results like unintentional acceleration and deceleration, as we’ve shown, clearly demonstrates that GNSS spoofing raises a safety issue that must be addressed … In addition, the spoofing attack made the car engage in a physical maneuver off the road, providing a dire glimpse into the troubled future of autonomous cars that would have to rely on un-secure GNSS for navigation and decision-making.”

[Images: Regulus Cyber]