A group of ‘white hat’ researchers has proved that it can still hack into and control Tesla self-driving cars, despite a recent security upgrade.
In a blog post, Keen Security Lab said it had ‘discovered new security vulnerabilities on Tesla motors’ and realised a ‘full attack chain to implement arbitrary CAN BUS and ECUs remote controls on Tesla motors with [the] latest firmware’.
Keen Security Lab, part of Chinese firm Tencent which recently acquired a stake in the US electric car manufacturer, said it had bypassed Tesla new ‘code signing’ security mechanism, which was announced after a hack last year.
It posted a video showing its researchers remotely opening the doors and boot of two Tesla model X vehicles, causing a car to brake as it drove towards them, and making a pair of cars flash their lights in sequence in an ‘unauthorised Xmas show’.
In the video a researcher comments that unlocking doors only impacts the security of personal property but adds somewhat indisputably that ‘if the car can be fully controlled it might impact personal safety’.
The group said it had discovered multiple undisclosed software vulnerabilities in different modules and was working with Tesla and related manufactures.
It said it had followed a ‘responsible disclosure’ process to report all security vulnerabilities to Tesla, whose product security team had ‘verified and confirmed all the bugs in our report’.
The group added that security patches have been made and ‘efficiently’ updated to vehicles remotely in July.
It said: ‘The reported issues affect multiple models of Tesla motors. Based on Tesla’s report, most of the active Tesla motors have been updated to new firmware with patches via FOTA (Firmware Over-The-Air)’.
Last month Tesla CEO Elon Musk told a conference that one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack.
In a report published last month, legal firm Burges Salmon, part of the FLOURISH multi-sector collaboration on Connected and Autonomous Vehicles (CAVs) warned that ‘the wider adoption of CAVs is likely to see cyber criminals finding increasingly more innovative ways to attack and exploit the technology and the data’.
It said many risks need to be considered, ‘from hackers stealing vehicles remotely to stealing vast amounts of data and more sinister incidents of cyber attacks for other criminal activity’.
The report identified ‘loss of control over CAV assets or systems as the result of external cyber attack’ as one of the main cyber security threats to CAVs.