Modern cars are more sophisticated than ever. But the smarter they become, the more vulnerable they are to hackers.
Tesla’s Model S is like a “sophisticated computer on wheels,” as CEO of Tesla Motors (TSLA:NASDAQ) Elon Musk put it. But this level of sophistication makes the Tesla car a pretty interesting target for Chinese hackers.
A group of researchers from the Chinese technology company Tencent managed to remotely control the braking system, trunk, and side-view mirrors of the vehicle. In order to demonstrate a series of vulnerabilities, the Chinese researchers made a video and made it public on their blog.
“I think it is very good research [and] they did the demonstration publicly,” said Craig Smith, research director of transportation security at Rapid7, an IT security company. Smith is also the author of “The Car Hacker’s Handbook.”
These kind of videos are typically not made public, he said.
In the first part of the video, the researchers showed how they remotely managed to open the sunroof, switch on the turn signals, move the car seat, control the central display, and unlock the door of the car in the parking position.
In the second part of the video, they turned on the windshield wipers, folded the side-view mirror, and opened the trunk while the car was moving. And most importantly, the Chinese researchers were able to control the car’s braking system.
“As far as we know, this is the first case of a remote attack that achieves remote control on Tesla cars,” the researchers stated in the blog post.
The hackers managed to crack the so-called CAN bus, or controller area network, a simple computer protocol used in the auto industry. All embedded systems and electronic units inside modern cars communicate using this network.
According to Smith, it is not the first remote attack case involving the CAN bus. It was done before in other cars. “But I think they are the first ones who did it on a Tesla car,” he said.
“When you are able to attack the CAN bus, you can do additional things that you can’t do on the mobile application, like controlling the brakes or folding the side-view mirrors,” said Smith.
Like many software companies, Tesla runs a program to reward researchers who report cyber-security weaknesses.
“We have reported the technical details of all the vulnerabilities discovered in the research to Tesla. The vulnerabilities have been confirmed by Tesla’s product security team,” stated the Chinese researchers.
Tesla created a software update to fix the problem within 10 days after receiving the report.
“The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” Tesla stated.
This is a good example of a collaborative work where independent researchers responsibly report problems to the manufacturer to prevent risks for consumers, Smith said.
“Even though it is a strange condition, it is still a condition that could happen. They made the right call, even though they consider it a low risk.”
Tesla has been under pressure after a fatal crash in Florida in May when the autopilot of the car malfunctioned. The crash killed 40-year-old Joshua Brown and led to an investigation by the U.S. safety agency, the National Highway Traffic Safety Administration.
As a consequence, Tesla recently announced that it made improvements to the Autopilot system to prevent such accidents.
But Elon Musk and Tesla have had a rough September. A rocket of Musk’s SpaceX exploded at its Cape Canaveral launch pad on Sept. 1. And now Chinese company Tencent presents its case on how to hack Tesla cars. From this point, it seems things can only get better.