Tesla patches Model S, nabs security head from Google’s Project Zero

Tesla has patched six flaws in its Model S vehicles as it finds its new head of security from the ranks of an elite group of hackers in Google’s Project Zero.

Chris Evans, who’s headed up Chrome security for several years as well as Project Zero, announced on Twitter that he’ll be leaving the search company “soon” to lead Tesla security.

Evans has notched up a number of achievements during his decade at Google, from building the Chrome security team from scratch to launching the company’s Chromium, Google Web and Pwnium bug programs, according to his LinkedIn profile.

He won’t be the first high profile hacker to join Tesla’s ranks but the move comes amid heightened concerns over car hacking after security researchers demonstrated a dangerous remote attack on a Jeep Cherokee that prompted Fiat Chrysler in July to recall 1.4 million vehicles to patch the bug they exploited.

Tesla confirmed it has hired Evans to lead its security team. "We are always looking to add world-class talent to Tesla," a spokeswoman told CSO.

Tesla has good reason to hire talented hackers as the maker of the most highly networked vehicles on the road, which delivers performance improvements and security fixes — much like smartphone vendors — through over the air (OTA) firmware updates.

The company recently released an update to its Model S vehicles to address six flaw that researchers revealed at Def Con in Las Vegas on Thursday.

Kevin Mahaffey, CTO of security startup Lookout, and Marc Rogers, a security researcher at CloudFlare, demonstrated they could, with physical access, plant malware on a Model S’ network and later remotely kill its engine while in motion.

Among six flaws they found was a potentially remotely exploitable flaw in the vehicle’s infotainment system, thanks to an out-of-date browser that contained an old Apple WebKit flaw. Tesla told Wired that it had since isolated the browser from the rest of the infotainment system.

Evans’ joins Tesla after the company has stepped up its investments in security. As Computerworld reported last year, Tesla at the time was looking to build a team of at least 30 full-time hackers to find flaws in the firmware used to control cars.

The company also recently launched its own bug bounty on Bugcrowd, offering up to $1,000 for each bug reported, though only for flaws in its website.

For bugs like those revealed today, it has a separate channel that it handles itself but, atypical to the vehicle industry, promises not to prosecute bug reporters who responsibly disclose bugs and rewards them via its hall of fame.

Project Zero, the team Evans led, has uncovered dozens of new flaws in products from across the software industry.

The group found itself at the centre of a controversy over responsible disclosure after revealing details about several Windows flaws that Microsoft hadn’t patched within its 90-day deadline.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags TeslaJeep CherokeeGoogle WebLinkedInApple WebKitCloudFlareTesla securityGoogle’s Project ZeroBugcrowdDef ConModel SChromiumChris EvansPwnium

More about AppleCherokeeCSOGoogleMicrosoftTeslaTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place