If you’re sitting around with family members you’d rather not have long conversations with this holiday season, I highly recommend firing up Netflix’s new film Leave The World Behind. Starring Julia Robers, Ethan Hawke and Mahershala Ali, it’s a Hitchcock-esque thriller about two families coming to terms with a mysterious cyberattack that completely cripples the United States and sends the nation spiraling into anarchy.
Don’t worry: despite what you just read, it’s fun, I promise. But there’s one scene from the movie that keeps proving to be a viral standout. It involves the ultimate nightmare for so-called self-driving cars, and it’s so wild I had to ask a cybersecurity firm that specializes in the auto industry what it means.
(Some general spoilers follow for Leave The World Behind; you’ve been warned.)
In this scene, after finally realizing just how completely disabled society is following an all-encompassing cyberattack, Julia Roberts’ character is attempting to flee with her family. That’s when they encounter a roadblock in the form of dozens of wrecked, all-white Teslas.
When she gets out of her Jeep to figure out what’s going on, she sees the new cars’ window spec sheets—zooming in on the Teslas’ “Full Self-Driving” option—and it all clicks for her almost at the last minute.
This leads her to dodge more incoming self-driving Teslas in her Jeep, almost as if she were on a slalom course. Then the camera pans out to reveal a massive, miles-long traffic jam across a bridge.
Exactly what happened here is never explained. It’s heavily implied that whatever actors were behind the attack seized remote control of the automated driving features in those Teslas, turning them into missiles on wheels designed to cripple more critical infrastructure and cause pandemonium.
But the scene is so notable that it got a response from Tesla CEO Elon Musk on X, and it even left some to wonder if it had anything to do with the giant Autopilot recall that happened days later. (It did not.)
Now, it’s worth noting that Autopilot and Full Self-Driving cannot and do not operate without human drivers behind the wheel; the Smart Summon feature on certain Teslas is about as close as you get, and it’s extremely limited in function. There are no truly fully self-driving cars for sale at all right now, as all automated driver assistance systems (ADAS) require human monitoring.
But if we know anything from the past few years, it’s that the complex ins and outs of systems like Full Self-Driving are a bit lost on the general public. Too many people overestimate what they can do. It’s easy to watch that scene and think a mass remote hack on Teslas is a plausible thing.
Then again… is it?
To find out, I spoke to Shira Sarid-Hausirer, who heads up marketing for Upstream, an Israeli cybersecurity firm that monitors millions of cars worldwide and works with different automakers to prevent vulnerabilities in cars. As cars turn more and more into software-defined vehicles—automobiles driven by advanced computer functions, downloads and wireless updates—hacking and security are becoming more and more of an industrywide concern.
And in the case of the scenario depicted in Leave The World Behind: it’s possible, but not especially likely, Sarid-Hausirer told me. “It’s far-fetched, not delusional,” she said. “It’s futuristic, let’s be honest. But sometimes reality can beat your imagination.”
There are a handful of real-world examples that prove this sort of thing isn’t entirely fiction. Last year, hackers in Moscow tampered with the navigation systems used by a ride-hail taxi company, directing dozens of cars to the same location and causing a huge traffic jam.
Additionally, as arguably the original software-defined vehicle, Teslas have been hacked before, including by benevolent white-hat hackers and cybersecurity researchers. Last year, a group of researchers were able to breach the cars at a conference co-sponsored by Tesla. In another instance, a 19-year-old hacker remotely accessed more than two dozen Teslas around the world, unlocking doors and windows and even honking horns from his computer.
“This is nowhere near full control,” Sarid-Hausirer said. “But if we want to take this scenario from the Netflix movie, he was able to take the windows down while you’re driving, blow your horn, tamper with your A/C and radio and infotainment systems, lock and unlock and start your car remotely… all that certainly poses a safety hazard.”
(Sarid-Hausirer made clear she was speaking broadly about cybersecurity challenges the entire industry faces, not just Tesla. She and other groups I’ve spoken to have also said Tesla takes these matters seriously and works to correct them quickly.)
“There are some elements in reality right now that can indicate [the industry] needs to be careful,” Sarid-Hausirer said.
Where ‘Software-Driven Cars’ Are Vulnerable
Specifically, there are two major vulnerability points for modern cars: over-the-air updates and APIs, essentially the interface between the cars and various third- and even first-party applications. Think streaming music, navigation apps, smartphone integrations and more—anything that opens a sort of gateway between the car and something else.
Unfortunately, Sarid-Hausirer said, both OTA updates and in-car apps are hallmarks of the software-defined vehicle future. They’re crucial to automakers’ plans to add more features to cars over time and drive revenue from them, much as Tesla has done for years. And those functions can represent new ways for hackers to get access to cars. Safeguarding against this becomes especially crucial as cars approach self-driving, she said. So-called zero-day exploits, where an attacker exploits an opening that was previously unknown and where a company has “zero days” to fix it, are of particular concern.
“The infotainment system is sort of a gateway to multiple internal systems that control the systems of the vehicle,” she said. “One of them is the navigation. Say, in a few years, you’re going to go from your office to your home [in a more fully automated car] and someone remotely manipulates that navigation command and navigates you to a different place.”
That would be, to use a technical industry term, not good.
Besides getting into critical systems via vulnerabilities in apps, Sarid-Hausirer said OTA updates can theoretically go awry too. “Threat actors could manipulate other vulnerabilities to inject malicious code into the OTA update,” she said, essentially leaving something inside the car that an automaker doesn’t want.
So while the example shown in this movie is extreme—there are no known cases of actual remote seizures of entire fleets of cars, where their movement is yielded to a third party—the science behind it has grounding in reality.
Car Companies Have To Become IT Security Companies Too
As scary as this sounds, Sarid-Hausirer said she’s actually “optimistic” about the way things are going. No automaker wants these kinds of headaches, or anything even remotely close to the scene depicted in Leave The World Behind. So the industry as a whole has stepped up its cybersecurity game even in just recent years.
“It’s important to say that the industry is moving very rapidly to protect these vehicles,” she said. She added that as that business has developed, the top priority has been safety—the physical safety of occupants and passengers—followed by data privacy. After all, as high-tech as the auto industry wants to get, a car can represent far more of a physical threat than any lines of code.
“This is not an IT hack where someone penetrates a server,” she said. “This is a car, right? It has the potential to do things that we would like to prevent, like crashing into each other, or buildings.”
Contact the author: patrick.george@insideevs.com
