A team of Chinese hackers known as the Keen Lab claim they have managed to hack a Tesla Model S remotely — no wires needed. They were able to do some mundane things to the car, like open its trunk while the car was in motion, and disable the tablet. But they were also able to unlock it — and to apply the brakes from 12 miles away. Imagine cruising down the highway at 75 m.p.h. on Autopilot, relaxed, only to have your car screech to a halt. Sound safe?
“We pwned Tesla Model S remotely (no physical contact) with a complex exploit chain,” Keen wrote on Twitter. “All details reported to Tesla.”
Keen wrote that it had notified Tesla of the vulnerabilities, and would wait until Tesla patched them to share all the details. Now that Tesla knows about these loopholes, it can fix them before any malicious actors catch on. But it’s a sign of a future in which car cybersecurity is paramount.
It’s also important to take the video with a grain of salt. Eric Evenchick, an automobile-software specialist who created CANtact, an open source software tool that makes accessing the internal network of most vehicles more user-friendly, told Inverse in an email that “it’s very hard to vet the legitimacy of any video like this… the results are usually pretty easy to fake.” While he didn’t want to delve into speculation without more information on the hack, there was one detail that stood out.
“It’s pretty hard to comment with any certainty about what’s going on in this video, and we’ll have to wait until we see more information about the attack,” Evenchik says. “The one thing worth noting is that most of the controls on the Tesla are operated through the infotainment system, so compromising that system could definitely provide some of the control functions shown in the video.”
Keen, in a tweet reply, wrote that “any browser-borne attack vector works, which covers many scenarios only restricted by imagination.” In other words, if a Tesla owner opens up a bad link on the Tesla tablet computer, he or she could be unwittingly handing over the virtual keys to the whip, and thereby endangering all present and future occupants of the vehicle. The vulnerability sounds much like the atypical iPhone and Mac vulnerability hackers exposed back in July, which rendered these devices defenseless.
The hack coincides with the release of the Federal Automated Vehicle Policy, which outlines regulations for self-driving cars, among which are (seemingly blasé) vehicle cybersecurity guidelines. “Manufacturers and other entities should follow a robust product development process based on a systems-engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities,” the Department of Transportation and National Highway Traffic Safety Administration writes.
Tesla has not commented on the vulnerability yet, but we will update this post if and when it does. Autopilot Version 8 was slated for wide release on Wednesday, but this revelation may warrant a delay. It’s the second time in a week that a hacker’s found his way into Tesla’s computer system. But as long as the good guys stay out in front of the bad ones, Tesla has nothing to fear.