Tesla Hack – Remote Access Whilst Parked or Driving

The New Acunetix V12 Engine


The big buzz on my Twitter this week was about the Tesla Hack carried out by a Chinese crew called Keen Security Lab. It’s no big surprise even though Tesla is known for being fairly security concious and proactive about it.

Tesla Hack - Remote Access Whilst Parked or Driving

With it being a connected car, that’s pretty important that any remote control capabilities are rock solid. As always with security though, the more secure you make it generally the less usable it becomes – so they have to tread that thin line too.

Tesla Motors is considered one of the most cybersecurity-conscious car manufacturers in the world—among other things, it has a bug bounty program. But that doesn’t mean the software in its cars is free of security flaws.

Researchers from Chinese technology company Tencent found a series of vulnerabilities that, when combined, allowed them to remotely take over a Tesla Model S car and control its sunroof, central display, door locks and even the braking system. The attack allowed the researchers to access the car’s controller area network (CAN) bus, which lets the vehicle’s specialized computers communicate with each other.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers from Tencent’s Keen Security Lab said in a blog post Monday. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”

The blog post is accompanied by a demonstration video in which the researchers show what they can achieve through their attack, which works either while the car is parked or being driven.

First, while the car was parked, the researchers used a laptop to remotely open its sunroof, activate the steering light, reposition the driver’s seat, take over the dashboard and central display and unlock the car.


It seems like the whole thing has been handled responsibly and Keen reported the vulnerability to Tesla before releasing the information publicly, it’s already been fixed in the latest firmware revision so if you are a Tesla owner – please update your car!

This is the plus side of a connected car, the manufacturer doesn’t need to recall millions of cars to update the software and remove the flaw – they can push it OTA.

In a second demonstration, they turned on the windshield wipers while the car was being driven at low speed in a parking lot for demonstration purposes. They also showed that they can open the trunk and fold the side-view mirror when the driver is trying to change lanes. While these operations can be distracting to the driver in certain situations, causing a safety risk, the most dangerous thing they were able to do was to engage the car’s braking from 12 miles away.

Such an attack, performed against a car being driven at high speed on a highway, could result in a serious rear-end collision.

The researchers reported all of the vulnerabilities through Tesla’s bug bounty program, and the company is working on patches. Fortunately, Tesla cars can receive firmware updates remotely and Tesla car owners are advised to make sure that their vehicles are always running the latest software version.

Car hacking has become a hot topic in recent years among security researchers, regulators and car manufacturers themselves. As cars become more interconnected, the ways in which they can be remotely hacked will only increase, so it’s important that the computers handling critical safety features are isolated and protected.

Tesla did not immediately respond to a request for comment.

This is not the first Tesla hack, their website and twitter have also been jacked before an I expect to see more vulnerabilities in the future.

You can watch the full demo video from Keen Security Lab here:

Source: PC World

Posted in: Exploits/Vulnerabilities, Hardware Hacking


Latest Posts:


Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.


Comments are closed.