[obblekk]

Tesla software has such a large surface area to attack compared to traditional OEMs where most subsystems are effectively air gapped.

It’s their advantage when it comes to coordinated user experience, but might become a problem as the fleet size increases and becomes a more valuable hacking target.

I could see security becoming a bigger part of CarPlay/Android auto’s pitch to OEMs.

[berkes]

> the fleet size increases and becomes a more valuable hacking target.

Tesla has a (IMO rediculous) high market cap and stock value. A severe hack could affect that, which, combined with a short position, would allow attackers to make a large amount of money.

What I'm saying is: Tesla already is a valuable hacking target.

[pid-1]

I've been waiting for a cybersecurity incident to move markets since forever. It seems consumers and investors don't really care.

[perihelions]

The SEC's Twitter hack was just a few days ago,

https://news.ycombinator.com/item?id=38932228

According to one of the comments: "The price of BTC initially jumped 3% on the hacked tweet. That's $25bn+ of market cap."

[webdoodle]

The SolarWinds hack at the end of 2020 cut SWI from ~$25 to $15 a share in very short order. Pun intended.

[pclmulqdq]

SolarWinds was a cybersecurity company, so a hack causes people to fundamentally question things. Tesla, on the other hand, doesn't need cars to get hacked for them to self-drive people into barriers or emergency vehicles, and the stock price isn't touched when yet another person dies. Why would a hack change anything?

[berkes]

"hacking tesla" is much broader than crashing a car that's self driving.

It's lifting secret keys that allow criminals to open any Tesla 'till an OTA update, or callback has been rolled out. For days exposing your Tesla+luggage to theft. Or just breaking stuff: imagine the flack of every tesla driver suddenly losing access to navigation or entertainment for weeks. Or camera access: imagine the outrage if hackers can record and publish anything done and said inside and around Teslas in the last months?

[casercaramel144]

Because from a safety perspective, the amount of distracted / drunk / texting drivers who would've otherwise crashed their cars vs the amount of Tesla autopilot caused crashes is one for every 5.89 million miles (from their own website) vs about 500k for humans.

From a purely pragmatic perspective, Tesla's that occasionally and irregularly crash are a way better alternative than terrible human drivers.

[berkes]

It has happened. E.g. the WannaCry attack back in 2017, moved markets severely. Short and most bounced back, but attacks do cause panic.

The good(?) news is that e.g. WannaCry took out large, "boring" companies, like Maersk, or MSD. These companies typically have a low Alpha, low volatility, and people invest in them for long term: decades rather than weeks. Whereas with e.g. Tesla, every fart that Elon makes has an effect on the stocks.

[jacooper]

It has to be really severe, like not being to drive your own car for multiple days because of a hack, which needs to be directly caused by their crappy security and not accidental

[jjav]

> combined with a short position

While I don't disagree that Tesla is a valuable attack target, the reality is that for market value security does not matter.

There can be a massive attack on Tesla announced tomorrow, the stock will go down 5% for a few days and recover within a month. Nobody cares. It's a depressing reality.

[geraldhh]

yea, someone would have to spread a trojan in the playstore that constantly broadcasts a dos-inducing message from phones to really make a dent

[some_random]

It would be extremely difficult to get away with this, there's a reason why the SEC twitter account hack targeted bitcoin rather than a traditional stock.

[cookiengineer]

> air gapped

Good joke. Have you seen any of the stolen cars because of CAN Bus security flaws lately?

Nothing is air gapped. The Android entertainment system running 4.0 because of 32MB RAM requirements is fully connected to the CAN bus.

It's a safety nightmare.

[Klathmon]

Not even just lately, I remember around 2010 it was found that at least one car model could be exploited through the TPMS (tire pressure sensors)

[hgjbfubv]

Considering they literally had to latch onto the specific canbus to do that it means that you can’t just hack the head unit and expect to cutoff the engine. Not saying it can’t be done, but many manufacturers put in gateways to prevent that kind of thing.

[drtgh]

They are not doing it well then,

https://www.propelex.com/hacking-cars-remotely-with-vin-numb...

[TheLoafOfBread]

Yes but there is more than 1 CAN bus network and they are isolated from each other via gateway. So you can't just take control over infotainment and start poking into brakes. Messages won't get routed through the GW.

[geraldhh]

afaik this is true for some models.

[phpisthebest]

I dont know if you can say that about traditional OEMs BEV's which seem to be following the Telsa model of complete interconnectivty of all systems

traditional OEMs do not make a EV that is just a ICE with Electric Motor and battery, the traditional OEMs BEV platforms are completely redesigned to put in "features" that no one wants, and no one asked for to enable OEM control over every part of the car, enable them to turn features on and off in software and OTA (you know so they can make your pay monthly for your heated seats)

[mavhc]

Says they needed 3 zero day bugs to get room on the modem, nothing about controlling any other part of the system

How come other cars aren't submitted to Pwn2Own?

[rtev]

A vendor pays to have their software included in this competition, where many of the world’s best offensive security pros compete.

[mavhc]

Indeed, everyone else isn't interested in security for their cars

[geraldhh]

> I could see security becoming a bigger part of CarPlay/Android auto’s pitch to OEMs.

way to go since it became common for cars to constantly broadcast wifi and bt beacons from unpatched software stacks

[newsclues]

Are trad auto OEMs going to maintain their advantage or will they rapidly follow Tesla ?

If they try to emulate Tesla without the experience making it secure they could be even worse