Security researchers from China have managed to remotely hack a Tesla Model S, taking over several of the vehicle’s controls.
Keen Security Labs have released a video demonstration of their ability to remotely control many features of the car, including being able to open the sunroof and the trunk, move the driver’s seat, fold the mirrors, freeze the huge tablet-like screen and even apply the brakes while the car is moving.
Their goal wasn’t to target Tesla, with Keen Security Labs notifying them of the problem before releasing their findings to the public. Tesla has since fixed the problem with their 7.1 firmware update released earlier this year.
The researchers were able to hack Tesla’s systems from a distance by compromising the car’s CAN bus. This requires for the car to be connected to an unsafe WiFi hotspot in order to take control via the onboard web browser.
Tesla commented on this with a statement to The Verge:
“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.
“We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.”
The need for more secure connected cars has been expressed many times by many experts, with the U.S government having just issued the Federal Automated Vehicles Policy, a set of regulations on the upcoming fully autonomous vehicles.
“These hacks demonstrate the serious problems around identity verification in today’s connected cars”, said Brian Spector, CEO of online security company Miracl, addressing the need for a change. “Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today. Move forwards to the increasing trend for driverless cars, and the potential fallout from this lack of authentication becomes even more frightening.”