Researchers from Keen Security Lab have been able to remotely control various operational functions of a Tesla car while being driven, and from some distance away.
Since the ‘controlled-hack’ Tesla has updated its software to prevent any future manipulation of its cars.
This hack is worrying for three reasons.
First, it was conducted from a great distance – posing no risk to the hacker – and second, the hackers were able to gain near full control.
Third, the attack was conducted online via a web browser, and not as Tesla has previously suggested on a malicious Wi-Fi.
“The disclosure definitely is a cause for alarm as the attack definitely involved exploitation of a web browser leading to physical control over the car. Ideally these systems should be completely isolated from one another,” said Craig Young, security researcher at Tripwire.
During the experiment a Chinese researcher took control of a vehicle from the passenger seat, while someone else was behind the wheel. The security implications are severe, and even though the software has been updated, hacking threats will continue to evolve to bypass these improved operating systems.
“The problem,” said Mark James, security specialist at ESET, “is that delivering secure software is a constantly changing factor, what is considered secure today may not be secure tomorrow. The ability to modify and push our updates is very important, making sure the user is well aware of any updates and making it easy for them to be applied needs to be top of the list when it comes to protecting the users of these types of vehicles.”
Tesla, however, do have the ability to provide automatic updates on their cars to address vulnerabilities, without owners needing to attend a dealership.
The ability to conduct over-the-air updates is hugely important, but whether they could be instigated in real-time to prevent an ongoing hack is the question that should be at the forefront of manufacturers minds.
Brian Spector, CEO at MIRACL, suggests “manufacturers should deploy a distributed trust model which allows for fast pre-authorisation, and removes the roadblock of a centralised service” to solve this problem of slow verification and update services, with the aim of connecting “the components more quickly and autonomously”.