As the internet and wireless connectivity become ubiquitous, we are leveraging technology in ways that were impossible twenty years ago. Insurance companies such as Progressive, Allstate and State Farm are now offering discounts in exchange for plugging a dongle that tracks acceleration and speed into your car. Automakers such as Ford, Jeep, and Tesla are adding networked services to their cars. These developments in networked technology offer significant advantages to automakers attempting to deliver on their customer promise – convenience, analytics, and improved safety come to mind immediately. However, these new technologies are not without their risks. As technology proliferates in the auto industry, automakers seeking to leverage this technology must be deliberate about how they deal with the risks. One example of both success and failure in this arena is Tesla.
Tesla motors has leapt to a leadership position in the high end electric car business. Tesla has made electric cars sexy and implemented a number of industry leading features. The Model S features on-demand internet radio, an in dash navigation system that adjusts to real-time traffic, and WiFi and internet connectivity among other features. All Tesla cars come standard with “the hardware needed for full self-driving capability at a safety level substantially greater than that of a human driver.”  This is an incredibly exciting development, but also an incredibly risky one. Researchers at Keen Security Lab in China were able to take full remote control of a Tesla Model S. They demonstrated opening the trunk, manipulating the seat position, windshield wipers, and causing the car to brake. All of this was accomplished remotely from a laptop with no prior physical access to the car. Fortunately, in this instance, the team that discovered the vulnerability was a responsible team of professional security researchers. They reported the bug to Tesla prior to releasing their discovery to the wild. This will not always be the case. Vulnerabilities like this sell for millions on the open market. Can you imagine how much the NSA would pay for the ability to listen to the blue tooth mic in Putin’s Mercedes?
At the same time that the Internet of Things(IoT) creates new risks, it also generates new benefits. In the above example, Tesla fixed the issue via an over the air software update before Keen Security published their proof of concept exploit. In a similarly beneficial incident, Tesla issued a recall for a charging adapter that overheated and potentially caused fires. Rather than have Tesla owners return to the dealer, they issued an over the air update which corrected the issue.  These two examples demonstrate how the IoT can be a double edged sword. Providing safety and security on the one hand and putting the same at risk on the other.
So, how should Tesla address this? First, they must recognize the issue. As John Villasenor has said “Unintended linkages are the rule, not the exception.”  Tesla has not seen this yet, but Jeep has. A security team was able to disable the brakes and accelerator by hacking into the entertainment system. Tesla should learn from this failure. Second, they must audit the code prior to deployment. It is difficult to audit their own code. They should either form an independent security team or hire a third party to perform penetration testing. Third, they must balance time to market with security considerations. At this point, that should be relatively easy as Tesla is leading the game. As competitors catch up, there will be more and more psychological pressure to take shortcuts in order to cut time to market. They must resist this urge. The downside of some hacker taking control of a car and driving it through some busy area far outweigh whatever incremental benefit they get from being first to market. Finally, and this one is controversial, they should open source portions of their software for non-commercial use. This is controversial because it potentially surrenders their advantage over other automakers. However, a number of large companies (i.e. Google, Apple, Microsoft, AMD) have open sourced proprietary software and benefited from the added development. This also allows some hedge against the potential downside as then the entire community is responsible instead of Tesla alone. If Tesla follows these four items, they will be well positioned to dominate the smart car market.
The IoT provides an as of yet unrealized amount of opportunity for integration, modification, convenience, and analytics. It is tempting to run full throttle towards these benefits. This is unwise and companies must remain cognizant of the security implications of their developments. If they do not, government will step in to regulate and they are not well equipped to understand the details and nuances of secure development. It is in everyone’s best interest that corporate America not allow technology to outpace security.
Word Count: 799
 “Tesla Model S Features,” https://www.tesla.com/models
 Keen Security Lab by Tencent, “Car Hacking Research: Remote Attack Tesla Motors,” http://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/
 James C. Chen, “Part 573 Defect Information,” http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM448668/RCDNN-14V006-9349.pdf
 John Villasenor, “Five Lessons On The ‘Security Of Things’ From The Jeep Cherokee Hack,”