Six significant security flaws with the Tesla Model S let hackers take control of the vehicle, a team of American researchers has found.
Kevin Mahaffey, the chief technology officer of cybersecurity firm Lookout, and Marc Rogers, the principal security researcher at Cloudflare, explain that they chose to hack into a Tesla because the Silicon Valley-based company seemingly understands software better than most car makers. The results they obtained were surprising.
“The handbrake comes on, lurching it to a stop.”
Whether a hacker can turn off the electric sedan at speeds higher than five miles per hour was not disclosed. The researchers will release full details about the hack, including precisely how the S was hacked and a full list of the security flaws, during the Def Con conference that will open its doors in Las Vegas, Nevada, today.
Mahaffey and Rogers spent about two years studying the architecture of the Model S. Wired reports that the researchers managed to start and drive the car using software commands by simply plugging a laptop into a network cable behind the dashboard. They also managed to shut down the engine using a remote-access Trojan that they physically installed on the network. Finally, they noted that the infotainment system uses an outdated browser with an Apple WebKit vulnerability that hackers can potentially use to remotely take control of the car.
Tesla has not issued an official response, but it quickly designed an over-the-air patch that has already been sent to Model S owners.
“Tesla has taken a number of different measures to address the effects of all six vulnerabilities reported by [the researchers]. In particular, the path that the team used to achieve root (superuser) privileges on the infotainment system has been closed off at several different points,” said a company spokeswoman.
The news comes a mere weeks after two software engineers remotely hacked a late-model Jeep Cherokee. The hack exposed a serious security flaw with the Harman-designed Uconnect infotainment system that equips about 1.4 million Chrysler, Dodge, Jeep and Ram vehicles built between the 2013 and 2015 model years.
Harman stresses that only Fiat-Chrysler’s Uconnect software can be hacked because it’s about five-years old and it lacks the security features found in its more modern counterpart. However, the National Highway Traffic Safety Administration (NHTSA) is taking a closer look at about 2.8 million cars, trucks, and vans equipped with a Harman-designed infotainment system because it’s worried that all of the company’s infotainment systems could suffer from similar vulnerabilities.