Tesla has patched a number of vulnerabilities that allowed attackers to remotely take control over certain features in its Model S car.
Researchers at the Keen Security Lab of Tencent, a Chinese tech company, exploited the vulnerabilities to successfully seize control of the CAN bus that operates many vehicle systems in the car. They did so by connecting the Model S to a malicious Wi-Fi hotspot while accessing the car’s map search feature to find the nearest charging station.After gaining access to the CAN bus, the researchers demonstrated that an attacker could take control over the dashboard computer screen, open the sun roof, fold the side mirrors, and apply the brakes when the car was in motion, among other actions.The research team surmises these vulnerabilities don’t just affect the Model S, either:“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”You can view a demonstration of the hack in the video below:
With respect to responsible disclosure, the researchers notified Tesla of the vulnerabilities. The car company has since implemented a patch that fixes the issues.
As it explains in a statement sent to The Verge:
“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.
“We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.”
All owners of a Tesla Model S car should implement that over-the-air update as soon as possible.
News of this hack follows approximately one year after three Jeep owners sued Chrysler and the maker of the Uconnect dashboard computer after security researchers Chris Valasek and Charlie Miller exploited a vulnerability in uConnect to hijack a 2014 Jeep.