Car hackers found a way to trigger a Tesla's brakes from miles away
The Chinese research team, from the Keen Security Lab at Tencent, first privately disclosed their findings to Tesla, and are only publishing the details now it has been patched.
There's no evidence that anyone ever maliciously used this vulnerability to target Tesla cars - but it's still a terrifying reminder of the risks that face internet-connected vehicles.
How did it work? According to a statement Tesla provided to The Verge, the targeted vehicle needed to be connected to a malicious Wi-Fi network, and using the web browser. If it is, then the hacker can take control - no physical access to the vehicle required. It affected vehicles including the Model S, that used (then-)up-to-date firmware.
The range of things the researchers could do range from the annoying to the potentially deadly. For example, when the Tesla was parked they could open the sunroof, trigger the indicator lights, and move the driver's car seat. They could also unlock the car door without the key - every thief's dream.
While moving, meanwhile, it gets more serious. The Chinese researchers were able to open the trunk adjust wing mirrors, and control the windscreen wipers, all of which could be fatally distracting. And worst of all, they found a way to trigger the vehicle's brakes from miles away, doing it in a video from 12 miles away.
Tesla said in its statement that it sent out an update, delivered wirelessly, to customers' vehicles patching the security vulnerability, and praised the researchers for their work. "We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers," the electric vehicle company said. "We commend the research team behind today's demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research."
Likewise, Keen Security Lab said that Tesla has a "proactive attitude" towards their research, and that it took "actions to fix the issues efficiently."
The researchers put together a video showcasing what they were ale to make the Tesla Model S do. You can watch it below.
And here's the full statement from Tesla, via The Verge (emphasis ours):
"Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.
"We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today's demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research."