Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move.
An 8-minute video published on Monday by Tencent’s Keen Security Lab shows that researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could control the sunroof, the turn signals, the position of the seats, all the displays, and the door locking system.
While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment).
According to Keen Lab researchers, the attacks they demonstrated are possible due to a series of vulnerabilities that have been chained together.
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers said. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”
Based on the video made available by Keen Lab, it appears that a specific Tesla Model S can be identified and hacked while its owner is searching for nearby charging stations.
The vulnerabilities have been disclosed to Tesla Motors through the company’s Bugcrowd-hosted bug bounty program. According to Keen Lab, Tesla has confirmed the flaws and is working on addressing them. Fortunately, Tesla can release over-the-air firmware updates, which means that, unlike other carmakers, the company does not need to recall vehicles to apply security patches.
SecurityWeek has reached out to Tesla for comment and will update this article if the company’s representatives respond.
Tesla launched its bug bounty program in June 2015, more than a year after researchers started demonstrating that its vehicles could be hacked. After initially offering only up to $1,000 per vulnerability, in August 2015, the company decided to increase bug bounty payouts to a maximum of $10,000 for each flaw found in websites, mobile applications and vehicle hardware.
Research conducted over the past years by several experts – the most well-known are Charlie Miller and Chris Valasek, who have managed to hack cars both locally and remotely – has led to the launch of companies and departments that specialize in automotive security. Earlier this month, Volkswagen announced that it has teamed up with Israeli security experts to launch a new firm called CYMOTIVE Technologies.
UPDATE. Tesla told SecurityWeek that it addressed the vulnerabilities found by Keen Lab within 10 days after learning of their existence. The company pointed out that the attacks are not “fully” remote and they are not as easy to conduct as the researchers have suggested. The company has provided the following statement:
“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.
We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.”
The attack launched from 12 miles contradicts Tesla’s claims that the targeted vehicle must be connected to a malicious hotspot. This has led experts to believe that Keen Lab may have found a way to gain persistence.
“At first glance, it would appear that the details provided by the researchers conflicts somewhat with the information released by Tesla. While the researchers indicated that they could compromise a car from 20km, Tesla has reported that the car must be connected to a malicious Wi-Fi and the standard range for this is at most 300m. This could indicate that the attackers found a way to gain persistence on the car after it has disconnected, but then the 20km range seems oddly short. Instead I suspect that the attack may have actually been possible by another user on the same cell tower or with a cell site simulator,” Tripwire researcher Craig Young told SecurityWeek.
“In this case, I hope that the researchers do release further details to help understand the automotive attack surface better.The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car. Ideally these systems should be completely isolated from one another,” Young added.