People are very concerned that the rise of connected cars will lead to devastating issues caused by hackers. This is a justifiable fear, as there is always the possibility (however remote) that hackers could go so far as to control vehicles, causing accidents. The same new technology in vehicles that is present to minimize accidents, could be accessed with criminal intentions.
Keen Security Lab Was Able To Apply the Brakes From 12 Miles Away
So far, the problem hasn't been widespread. However, we have seen some instances of hacking, most of which are hackers revealing security issues in order to benefit the automakers. Thus far, hacking has been mostly limited to accessing components like mirrors, door locks, moonroofs, lighting, and personal information.
Now for the first time, hackers have publicly demonstrated the ability to hack the Tesla Model S, and to hack "driving related" systems via a compromised wifi/open browser connection initiated by the car's owner - which obviously limits the area and scope in which the Tesla could be commandeered.
Fortunately, the hackers from Keen Security Lab, did not have any ulterior motives, and reported the discovered vulnerabilities to Tesla prior to publicizing the video.
As technology continues to progress, more breaches will be discovered and addressed. In the end, highly-encrypted technology should be more difficult to hack than simply popping a lock or hot-wiring a vehicle. Hopefully, in the future, vehicle vulnerabilities will continue to be discovered prior to any catastrophic consequences.
Video Description by Keen Security Lab via YouTube:
With several months of in-depth research on Tesla Cars, we have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode. It is worth to note that we used an unmodified car with latest firmware to demonstrate the attack.
Following the global industry practice on “responsible disclosure” of product security vulnerabilities, we have reported the technical details of all the vulnerabilities discovered in the research to Tesla. The vulnerabilities have been confirmed by Tesla Product Security Team.
Keen Security Lab appreciates the proactive attitude and efforts of Tesla Security Team, leading by Chris Evans, on responding our vulnerability report and taking actions to fix the issues efficiently. Keen Security Lab is coordinating with Tesla on issue fixing to ensure the driving safety of Tesla users.
As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected. Keen Security Lab would like to send out this reminder to all Tesla car owners:
PLEASE DO UPDATE THE FIRMWARE OF YOUR TESLA CAR TO THE LATEST VERSION TO ENSURE THAT THE ISSUES ARE FIXED AND AVOID POTENTIAL DRIVING SAFETY RISKS.
This video demonstrates the impact of our remote attack vector. REMINDER: WHAT YOU ARE ABOUT TO SEE IN THIS VIDEO ARE PERFORMED BY PROFESSIONAL RESEARCHERS, DO NOT TRY THIS AT HOME.
Tesla statement on the discovery (via The Verge):
"Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.
We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research."