A stolen Model 3 is always hot news because low-tech car thieves tend to stay away from the high-tech car. They know it’s very hard to get in and start the car, but even harder to evade the tracking because of the always-on GPS. But at least one thief found a way to use a smartphone to steal a Model 3 from a Mall of America parking bay.
The Model 3 in question was a rental, and the man who stole the car was a regular customer of the company that owned the car. That means he had had prior access to the car. So how did he steal it if his access was revoked after his previous rental.
Easy, apparently. A computer forensics expert surmises that he called customer support and had the VIN added to his Tesla account. The executives handling the call wouldn’t have been suspicious if he’d already had access to that car in the past. They could have denied it at that point had they looked into it further and verified with the car’s owner first, but they didn’t.
If that theory is true, then Tesla needs to tighten up security and access at its call centers. There could be any number of scenarios where such a loophole could be used. Friends to whom you’ve given access in the past can take your Model 3 for a spin without your permission. Your over-16 kid’s buddies might try doing it just for laughs. The fact that there’s a vulnerability like this needs to be addressed by Tesla.
And that brings us to the larger picture of things being controlled centrally by auto companies. Connected cars of the future will all be linked to a central hub or a regional facility where engineers will be able to grant access to anyone to open, start and drive away with a car on the network.
What we need is a new set of laws covering how remote access is granted, and under what specific situations it is allowable. We don’t have that because the technology itself is relatively new. But we do have the physical equivalent of that. Can you just walk into a key maker’s shop and ask them to make a copy of a house or car key? Not without an appropriate background check, right? Then why aren’t such rules implemented for remote security? When you call the company that monitors your home security system, will they allow just anyone to disengage the systems? Absolutely not. So why is that happening in this situation?
It comes back to the lack of laws governing such technology. Cybersecurity is a relatively young field of endeavor, and the government is lagging behind because the tech itself moves faster than the law can. Companies like Tesla must work with governmental agencies to ensure that standards are created for connected vehicles, just as smart appliance makers must work to ensure that their gadgets aren’t easily hackable.
This is not a minor issue, even though the thief was eventually caught because of technology itself. His supercharger trail led the police to him two days later and about a 1,000 miles away, but the whole situation could have been avoided if the call center executive had a more stringent process to follow before granting access – if what the forensics expert says is true.
For now, all you can do is to disabled keyless entry. It doesn’t plug this particular loophole, but it will keep you a little safer. To address this particular hacking method, make sure you call up the Tesla helpline and give them specific instructions on who can be granted access. That’s the best you can do right now to prevent such a thing happening to you and your Model 3.
