A few days ago there was a story about how to steal a Tesla by installing malware on the owner’s phone. If you look at the big picture view of this problem it’s not all that bad, but our security brains want to make a huge deal out of this. Now I’m not saying that Tesla shouldn’t fix this problem, especially since it’s going to be a trivial fix. What we want to think about is how all these working parts have to fit together. This is something we’re not very good at in the security universe; there can be one single horrible problem, but when we paint the full picture, it’s not what it seems.
Firstly, the idea of being able to take full control over a car from a phone sounds terrible. It is terrible and when a problem like this is found, it should always be fixed. But this also isn’t something that’s going to affect millions (it probably won’t even affect hundreds). This is the sort of problem where you have an attacker targeting you specifically. If someone wants to target you, there are a lot of things they can do, putting a rootkit on your phone to steal your car is one of the least scary thing. The reality is that if you’re the target of a well funded adversary, you’re going to lose, period. So we can ignore that scenario.
Let’s move to the car itself. A Tesla, or most any stolen car today, doesn’t have a lot of value, the risk vs reward is very low. I suspect a Tesla has so many serial numbers embedded in the equipment you couldn’t resell any of the parts. I also bet it has enough gear on board that they can tell you where your car is with a margin of error around three inches. Stealing then trying to do something with such a vehicle probably has far more risk than any possible reward.
Now if you keep anything of value in your car, and many of us do, that could be a great opportunity for an adversary. But of course now we’re back to the point if you have control over someone’s phone, is your goal to steal something out of their car? Probably not. Additionally if we think as an adversary, once we break into the car, even if we leave no trace, the record of unlocking the doors is probably logged somewhere. An adversary on this level will want to remain very anonymous, and again, if your target has something of value it would be far less risky to just mug them.
Here is where the security world tends to fall apart from an economics perspective. We like to consider a particular problem or attack in a very narrow context. Gaining total control over a car does sound terrible, and if we only look at it in that context, it’s a huge deal. If we look at the big picture though, it’s not all that bad in reality. How many security bugs and misconfigurations have we spent millions dealing with as quickly as possible, when in the big picture, it wasn’t all that big of a deal. Security is one of those things that more often than not is dealt with on an emotional level rather than one of pure logic and economics. Science and reason lead to good decisions, emotion does not.