Tesla Model S hacking keynote during CeBIT triggers outrage

Last week, during the CeBIT conference in Hanover, Germany, a keynote from Lookout’s Co-Founder and CTO, Kevin Mahaffey explained the process of hacking and fixing Tesla’s Model S.

But some security professionals are in a rage because it looks like Mahaffey took all the credit and forgot the other half of his research team.

When it comes to security flaws in the automotive industry, the researchers who explore those problems and look for solutions are doing the world a service. Automobiles are starting to become more technical and connected, but they don’t have the protections many have come to expect from their desktops or laptops – or even their phones in some cases.

Tesla is a company that makes highly sought-after and technical vehicles, so ensuring they’re secure is a priority for the company. When Kevin Mahaffey and Marc Rogers looked at the security posture of Tesla, the company was selected because they’re making the types of cars that will common in the not too distant future.

Their research took several years, but eventually they discovered a way to control the Tesla Model S.

The two gave a joint presentation of their work last year during DEFCON in Las Vegas, and their work helped put Tesla in the spotlight as a researcher friendly company. In fact, Tesla will gladly work with researchers who do coordinated responsible disclosure of security flaws.

Last week, Mahaffey gave a keynote at CeBIT titled – “Why I Hacked the Tesla Model S” [archive link] and explained the work he and Rogers did.

However, several security professionals took issue with the title of the talk – or rather the usage of ‘I’ in the title and the constant references to ‘we’ Mahaffey made during his presentation.

The issue with the usage of ‘I’ is clear; most security professionals see this as Mahaffey claiming full credit for a joint-research project.

The fact this project will have a profound effect how Tesla and other automobile manufactures design connected systems means that full credit should be given to everyone involved – this was an important first step for protecting auto consumers.

To compare, when one thinks of the Jeep hacking research from 2015, both Charlie Miller and Chris Valasek will forever be linked to that project. It was an important project; one that triggered a massive recall, a fix that ultimately keeps drivers safe, and changes to product development that ensures their safety for years to come.

The other issue security professionals have with the CeBIT keynote is the usage of ‘we’ by Mahaffey.

Salted Hash reached out to Lookout and Marc Rogers about this issue. Rogers declined to comment. Prior to our contact, Lookout wasn’t aware of any backlash and put the blame on CeBIT once the issue came to their attention.

In an email, a Lookout spokesperson said it was “disappointing that CeBIT positioned Kevin and Marc’s research in such a way that excluded recognition of Marc’s extremely hard work.”

“It was absolutely a collaboration between the two of them and Kevin does make that clear in his CeBIT presentation,” the spokesperson added, referencing remarks during the presentation and presumably the usage of ‘we’ throughout the talk itself.

To their point, Mahaffey does mention Rogers briefly at the start of the keynote:

“Why did I undertake this research? It was myself Kevin Mahaffey and my research partner Marc Rogers, we’ve been working on this project for several years…”

Moreover, about 27 minutes into the keynote, Mahaffey shows a video of Rogers using SSH to control the Tesla Model S.

Some of those taking issue with the keynote itself say the usage of ‘we’ throughout the talk is done in front of monitors and signage branded with the Lookout logo – so ‘we’ could clearly be linked to Mahaffey and Lookout, not Mahaffey and Rogers.

In a number of threads on Facebook, as well as an emailed statement to Salted Hash, Mahaffey offered an apology and stated that he feels terrible that Rogers would feel slighted by the incident.

He also makes note of the fact that he and Rogers agreed they could present the research separately.

As for who submitted the talk, Lookout said the talk was the result of a series of conversations with their German-based PR firm and the CeBIT conference organizers. The company says they should have caught the misleading title, and apologize failing to do so.

Lookout says they’re working to get the article from CeBIT corrected, but as of Sunday evening (early morning in Germany) there have been no changes made.

The hope is that the CeBIT article gets corrected and sets the record straight. No matter what, no one should let this incident detract from the great work Rogers and Mahaffey did.

Likewise, it shouldn’t prevent people from working to with the auto industry to fix their stuff – they need all the help they can get.