ZDNet is reporting Tesla failed to properly secure their Amazon Web Services servers, thus leading to a breach where the attackers were using them to mine cryptocurrency:

Researchers from the RedLock Cloud Security Intelligence (CSI) team discovered that cryptocurrency mining scripts, used for cryptojacking — the unauthorized use of computing power to mine cryptocurrency — were operating on Tesla’s unsecured Kubernetes instances, which allowed the attackers to steal the Tesla AWS compute resources to line their own pockets.

Tesla’s AWS system also contained sensitive data including vehicle telemetry, which was exposed due to the unsecured credentials theft.

“In Tesla’s case, the cyber thieves gained access to Tesla’s Kubernetes administrative console, which exposed access credentials to Tesla’s AWS environment,” RedLock says. “Those credentials provided unfettered access to non-public Tesla information stored in Amazon Simple Storage Service (S3) buckets.”

The unknown hackers also employed a number of techniques to avoid detection. Rather than using typical public mining pools in their scheme, for example, the threat actors instead installed mining pool software and instructed the mining script to connect to an unlisted endpoint.

Tesla essentially lives within connected services, and to make such an amateur mistake is surprising for the company. The attackers could have done a lot more damage, but were ultimately more interested in trying to make money than vandalism.

Ever since the proof-of-concept hack against Jeep, automobile cyber security is on peoples minds. This time two US senators are asking automobile manufacturers for details on their cyber security strategies:

Two U.S. senators have asked the world’s biggest automakers for information on steps they have taken to protect cars from being hacked, as attention on vehicle security has surged following the first car recall over a cyber bug.

Democratic Senators Edward Markey and Richard Blumenthal wrote to 18 automakers on Wednesday asking about efforts taken to secure vehicles including 2015 and 2106 models. They asked automakers how they test electronic components and communications systems to ensure attackers cannot gain access to onboard networks.

Concerns about auto cyber security have grown since July, when researchers gained remote control of a moving Jeep, prompting Fiat Chrysler Automobiles (FCAU.N) (FCHA.MI) to recall some 1.4 million vehicles for a software update.

The request from the senators follows a review that Markey began in December 2013. He concluded in a February 2015 report that the spread of technology connecting vehicles to networks had outpaced industry and government efforts to protect vehicles from hackers.

The senators said they want to know what automakers have done since the last survey to beef up security.

Cyber Security researchers are pushing back against Chrysler for mitigating the Jeep vulnerability by mailing a USB drive and hoping customers will plug it in to their vehicles to fix the known problems:

Security pros have long warned computer users not to plug in USB sticks sent to them in the mail—just as they shouldn’t plug in thumb drives given to them by strangers or found in their company’s parking lot—for fear that they could be part of a mass malware mailing campaign. Now Chrysler is asking consumers to do exactly that, potentially paving the way for a future attacker to spoof the USB mailers and trick users into installing malware on their cars or trucks.

“An auto manufacturer is basically conditioning customers into plugging things into their vehicles,” says Mark Trumpbour, an organizer of the New York hacker conference Summercon whose sister-in-law’s husband received the USB patch in the mail Thursday. “This could have the potential to backfire at some point in the future.”

When WIRED reached out to Chrysler, a spokesperson responded that the USB drives are “read-only”—a fact that certainly wouldn’t protect users from a future spoofed USB mailing—and that the scenario of a mailed USB attack is only “speculation.”

While the idea of mailing out a USB drive is not the best method, it likely is the only mechanism Chrysler has in its current arsenal. In the future they need to devise a much more secure method to release these types of security updates.

In a terrifying trend being witnessed quite often, Volkswagon effectively used the courts to gag security researchers from disclosing security flaws in their keyless ignition system for two years (emphasis added):

They took their findings about the weaknesses in the cryptography and authentication protocol to the Swiss manufacturer of the chip in February 2012, giving them nine months to fix the flaw; then they took their research to Volkswagen in May 2013. They had planned to present their research at USENIX 2013, but Volkswagen argued its vehicles would be at risk of theft and filed a lawsuit to block the paper from being published.

Although the code had been available on the Internet since 2009, the UK High Court of Justice awarded an injunction that prohibited the authors, their institutions, and anyone else who might assist them from publishing the research. The British court wrote, “I recognize the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars.”

So much for doing the right thing by responsibly disclosing the security flaw.

Indeed, so much for doing the right thing. Good guys never win.

The Electronic Frontier Foundation waxes on why the recent Jeep hack highlights how utterly dangerous the DMCA’s anti-circumvention clause is to security research:

One major reason that serious vulnerabilities have gone undisclosed and unfixed is that laws like Section 1201 of the Digital Millennium Copyright Act chill independent security research. That’s why we filed for an exemption to Section 1201 that would specifically protect security and safety research on vehicle software from DMCA liability. The automakers showed up in force to oppose it (including the “Auto Alliance” trade group, of which Fiat Chrysler is a member), arguing that there was no need for independent security research and that they had the legal right to shut it down – even when researchers only look at code on vehicles they own. We think Miller, Valasek, and other researchers have amply shown the need for independent vehicle security research.

We also asked for a second DMCA exemption for vehicle software, one that would allow competition in the vehicle software space (as well as repairs and customization). If that exemption is granted, an alternative software provider could enter the market to secure your vehicle and you might decide you have more faith in them than in the original manufacturer (or they might offer better functionality, or they might protect your privacy against invasive data collection by auto manufacturers). We would at least see the possibility of competition leading to better practices and spurring innovation among manufacturers.

Two security researchers performed a proof-of-concept hack on a Jeep, remotely controlling in while it was in motion on a highway, proving they could control its dashboard, steering, breaking, and transmission (emphasis added):

Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.

From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

Imagine how it must feel to suddenly lose complete control over your vehicle while it is traveling over 60mph on a highway. Reading it is scary enough, but living through it must be much more terrifying.

There is a delicate balance between convenience and security. To do things correctly, security needs to be baked in from the beginning rather than duct taped on after the fact. Sounds like Chrysler opted for the latter route.

As vehicle manufacturers add more sophisticated connected controls to cars this increases the risk of compromise, and a potential car hack could lead to the actual loss of lives depending on how the operation is leveraged. The US Senate is preparing to tackle this very issue and is proposing a set of cyber security standards for cars:

The Security and Privacy in Your Car Act of 2015 seeks to get a step ahead of what is seen by some as one of the next fronts in hacking: connected vehicles, which are always on the Internet and rely on sophisticated computer control systems.

Proposed by Senators Edward J. Markey, a Democrat from Massachusetts, and Richard Blumenthal, a Democrat from Connecticut, the act would mandate that critical software systems in cars be isolated and the entire vehicle be safeguarded against hacking by using “reasonable measures.” The proposed bill doesn’t define those measures.

Data stored in the car should be secured to prevent unauthorized access and vehicles will also have to detect, alert and respond to hacking attempts in real time.

Under the proposed law, new privacy standards, to be developed by the National Highway Traffic Safety Administration (NHTSA), will require vehicle owners be made aware of what data is being collected, transmitted and shared. Owners will be offered the chance to opt out of such data collection without losing access to key navigation or other features where feasible.

The NHTSA will also be tasked with developing an easy method for consumers to evaluate how well an automaker goes beyond the minimum standards defined in the proposed law.

To date, there have been few examples of cyber attacks on cars, but security researchers have demonstrated that it’s possible to take over the critical control systems of a car while it is in motion.

This article by Pete Bigelow on AutoBlog asking whether cyber-security researchers can continue studying cars or not was an interesting read:

By allowing vehicle security researchers to hack cars and publish details of their exploits, federal officials said they feared they could encourage people with malicious intent to infiltrate vehicles.

One of the chief ways they might ease that concern would be by imposing 90-day waiting period before independent cyber-security experts could share details of their efforts.

Officials with the U.S. Copyright Office floated that idea – essentially a compromise – during a hearing Tuesday that may determine whether security researchers can continue to access software coding that runs many critical functions in cars without fear of legal repercussions.

Proponents of independent car-hacking research have asked the Copyright Office to grant an exemption under provisions of a federal law that governs access to copyrighted materials. They say this sort of independent research plays a critical part in pushing manufacturers to better protect their vehicles, but OEMs argued their disclosures increased the potential for harm. That grim possibility seemed to register with copyright officials Tuesday.

“What if you find a vulnerability the bad guys don’t know about yet,” asked Jacqueline Charlesworth, general counsel and associate register of copyrights asked during the proceedings held at the UCLA School of Law in Los Angeles. “That’s what I’m struggling with here.”

Disclosure has always been a sticking point in the security research world. On one hand, there is a group of folks who prefer vulnerabilities remain secret – sometimes until fixed, sometimes for a specific period. On the other hand you have those who believe by immediately disclosing the security vulnerability it places pressure on the manufacturer or developer to issue a quick fix.

Personally, I am in the latter camp. There are very few instances where delaying disclosure is a good thing.

In most cases, malicious actors, especially those backed by nation states, are already aware of the vulnerability and have it as one of the tools in their arsenal. The longer it takes to issue a fix, the longer these actors can leverage the vulnerability to compromise victims all over the world.

Sometimes our very own NSA uses this tactic, which is likely why they prefer long disclosure times. This way they, too, can leverage the vulnerability in their worldwide CNO campaigns.