Tesla Patches Cars Against Wi-Fi 'Braking' AttackResearchers' Hack Turned on Wipers, Opened Doors and Applied Brakes
Electric car manufacturer Tesla has updated its firmware after researchers in China demonstrated how they could remotely turn on the windshield wipers, open the trunk and apply the brakes in brand-new Model S sedans.
The researchers, from Tencent's Keen Security Lab, released a video and blog post on Sept. 19 after Tesla had been privately informed of the software. An over-the-air software update was delivered 10 days after Keen notified Tesla. The car maker maintained that the risk to customers was very low.
"We commend the research team behind today's demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research," the company says in a statement.
The automotive industry has been under increasing pressure to ensure its software is free of vulnerabilities that could jeopardize safety. Cybersecurity experts have warned for years that the increasing complexity of vehicle computers, combined with network connectivity, poses vast new risks.
A dramatic public demonstration of a vehicle hack last year advanced those concerns. Chris Valasek and Charlie Miller remotely triggered a 2014 Jeep Cherokee's brakes on a California highway. While the demo was criticized for its possible risks to the public, it illustrated that worries about vehicle hacking were already far beyond theoretical (see Creating Cybersecurity Rating Systems for Cars).
That hack was enabled by software vulnerabilities in UConnect, which is a telematics unit used for navigation and entertainment. As a result of the research, Fiat Chrysler recalled 1.4 million vehicles.
To strengthen security, Fiat Chrysler and Tesla launched bug bounty programs this year that reward independent researchers for responsibly reporting security flaws. Vehicle manufacturers have also established the Automotive Information Sharing and Analysis Center (Auto-ISAC) to share information on vehicle-related threats (see Car Hacking Spurs Automakers to Share Threat Information).
Wipers Are On
Keen Research Lab's video shows the effects of the researchers' attacks against two Tesla Model S sedans in a rainy parking lot.
Their blog post says the software problems, uncovered over several months, granted access to the Controller Area Network bus (CANbus), a critical unit that brokers signals from a variety of electronic systems.
The demonstration, while light on technical detail, shows how they were able to open the sunroof, turn on a turn signal, move the driver's seat back and lower the back left window on a white Model S P85 Tesla.
A second attack was directed against a red Model S 75D. Senior researcher Sen Nie asks Keen Security Lab Director Samuel Lv to figure out where the nearest charging station is. Lv sits in the red Tesla for a bit and comes back, saying a charge point is about six miles away. Ling Liu, a Keen researcher, then says, "It is ready."
Lv returns to the vehicle to find that the large, 17-inch touchscreen tablet mounted on the dashboard is unresponsive, and the driver's instrument cluster is also frozen. Both displayed the logo for Keen Security Lab. In a low-speed driving demo, they turn on the windshield wipers, open the trunk, manipulate a right-side mirror and trigger the brakes remotely from 12 miles away.
Tesla's statement indicated the software problems are linked to the touchscreen tablet's web browser.
"The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot," the company says. "Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly."
Craig Young, a cybersecurity researcher with Tripwire, says a Wi-Fi attack could only be conducted at a maximum distance of around 900 feet. "I suspect that the attack may have actually been possible by another user on the same cell tower or with a cell site stimulator," Young says. "In this case, I hope that the researchers do release further details to help understand the automotive attack surface better."
Nonetheless, the exercise shows how security holes in an application can be used to gain kinetic control over a vehicle. "Ideally these systems should be completely isolated from one another," Young says.
The up-to-date software is v7.1 2.36.31, and drivers are advised to ensure the patches have been applied.