Watch Teslas being hacked as they drive, from up to 20 km away

# Baby, you can hack my car… #

How Teslas were hacked as they drove down the street, from up to 20 km away

The Register writes:

Chinese hackers have attacked Tesla electric cars from afar, using exploits that can activate brakes, unlock doors, and fold mirrors from up to 20 kilometres (12 miles) away while the cars are in motion.

Keen Security Lab senior researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated the hacks against a Tesla Model S P85 and 75D and say their efforts will work on multiple Tesla models.

The Shanghai, China-based hacking firm has withheld details of the world-first zero day attacks and privately disclosed the flaws to Tesla.


Full details of how the researchers were able to hack the Tesla have not been made public, but it appears from the video that part of the process involved intercepting a Tesla owner's attempt to find the nearest charging station.

Tesla says that it has awarded the researchers under its bug bounty program, and said a patch for the flaw had already been created and rolled-out to affected vehicles:

"Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly."

This isn't, of course, the first time that Teslas have proven themselves to be vulnerable to hackers.

Concerns were raised a few years ago that the only thing which stopped a hacker from stealing your $100,000 vehicle was a simple six-character password.

It's not going to be too long before all of us are driving 'connected' cars. I'm in a quandary - should I pay extra for a car that *isn't* part of the internet of things, or will that make software and safety updates a right pain in the backside to deploy?

When done right, software *can* make our cars smarter and safer. But we need dangerous bugs in the software to be ironed out, and a safe and simple way to update our cars without opening backdoors through which hackers can take advantage.

USB stick anybody?

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

6 Responses

  1. Norman Hirsch

    September 20, 2016 at 1:39 pm #

    My understanding was only if it was using same wifi which would mean max 300m or so.

    • Graham Cluley in reply to Norman Hirsch.

      September 20, 2016 at 1:42 pm #

      Hi Norman. Although it appears that the initial interception of credentials (if that's what is happening when the owner searches for a charging station) takes place at close range, the video goes on to demonstrate a remote hacker based in the researchers' offices (12 miles away) successfully hijacking control of the vehicle.

  2. Norman Hirsch

    September 20, 2016 at 1:42 pm #

    Meanwhile it was already patched by Tesla in 10 days. FYI the Tesla app allows some of those functions including keyless driving.

  3. Brooke

    September 20, 2016 at 4:09 pm #

    You have to hand it to Tesla for their quick reaction and for having built the cars with enough forward thought around the need to update. So many of these manufacturers didn't and are seeing this in the news with no way other than "bring them in". Tesla ironed it out, tested it and hit the big red "update" button to deploy. Way to go! They should be commended and praised in the industry vs any shaming related to the bugs found. I'm sure most media will take this as a time to show how bad things are, but they should focus on how right it's done/addressed.

    • graphicequaliser in reply to Brooke.

      September 22, 2016 at 1:19 pm #

      Tesla also rewarded the hackers for the professional way in which they conducted the tests and reported the findings. Tesla certainly seem to be a forward-thinking company!

  4. Michael Ponzani

    September 22, 2016 at 4:08 pm #

    We have too much technology. Nobody wants to do anything for themselves. Maps used to come in books or fold up paper format (know anyone who colud consistantly fold the map the right way?) Now everything is done for you via computer. We might as well hire caterpillers to spin us cocoons so we are safe, nice, warm and fuzzy. Or else we could become gov't subsidized junkies.

Leave a Reply