Tesla patches Model S, nabs security head from Google’s Project Zero

  • Liam Tung (CSO Online)
  • 07 August, 2015 09:10

Tesla has patched six flaws in its Model S vehicles as it finds its new head of security from the ranks of an elite group of hackers in Google’s Project Zero.

Chris Evans, who’s headed up Chrome security for several years as well as Project Zero, announced on Twitter that he’ll be leaving the search company “soon” to lead Tesla security.

Evans has notched up a number of achievements during his decade at Google, from building the Chrome security team from scratch to launching the company’s Chromium, Google Web and Pwnium bug programs, according to his LinkedIn profile.

He won’t be the first high profile hacker to join Tesla’s ranks but the move comes amid heightened concerns over car hacking after security researchers demonstrated a dangerous remote attack on a Jeep Cherokee that prompted Fiat Chrysler in July to recall 1.4 million vehicles to patch the bug they exploited.

Tesla confirmed it has hired Evans to lead its security team. "We are always looking to add world-class talent to Tesla," a spokeswoman told CSO.

Tesla has good reason to hire talented hackers as the maker of the most highly networked vehicles on the road, which delivers performance improvements and security fixes — much like smartphone vendors — through over the air (OTA) firmware updates.

The company recently released an update to its Model S vehicles to address six flaw that researchers revealed at Def Con in Las Vegas on Thursday.

Kevin Mahaffey, CTO of security startup Lookout, and Marc Rogers, a security researcher at CloudFlare, demonstrated they could, with physical access, plant malware on a Model S’ network and later remotely kill its engine while in motion.

Among six flaws they found was a potentially remotely exploitable flaw in the vehicle’s infotainment system, thanks to an out-of-date browser that contained an old Apple WebKit flaw. Tesla told Wired that it had since isolated the browser from the rest of the infotainment system.

Evans’ joins Tesla after the company has stepped up its investments in security. As Computerworld reported last year, Tesla at the time was looking to build a team of at least 30 full-time hackers to find flaws in the firmware used to control cars.

The company also recently launched its own bug bounty on Bugcrowd, offering up to $1,000 for each bug reported, though only for flaws in its website.

For bugs like those revealed today, it has a separate channel that it handles itself but, atypical to the vehicle industry, promises not to prosecute bug reporters who responsibly disclose bugs and rewards them via its hall of fame.

Project Zero, the team Evans led, has uncovered dozens of new flaws in products from across the software industry.

The group found itself at the centre of a controversy over responsible disclosure after revealing details about several Windows flaws that Microsoft hadn’t patched within its 90-day deadline.

Feeling social? Follow us on Twitter and LinkedIn Now!