Security researchers at China’s Keen Security Lab recently warned of several major security vulnerabilities in the Tesla Model S, which enabled them to control several aspects of the car remotely without having any physical contact with the vehicle itself.
While the car was parked, the researchers were able to open the sunroof, move the car seat, activate the turn signal, disable the control screen, and unlock the doors. While driving, they could remotely activate the windshield wipers, fold in the rear view mirrors, pop the trunk, and activate the brakes on from as far as 12 miles away.
All vulnerabilities were reported to Tesla, and were fixed in a recent firmware update.
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” the researchers wrote. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.”
“Keen Security Lab would like to send out this reminder to all Tesla car owners: PLEASE DO UPDATE THE FIRMWARE OF YOUR TESLA CAR TO THE LATEST VERSION TO ENSURE THAT THE ISSUES ARE FIXED AND AVOID POTENTIAL DRIVING SAFETY RISKS,” the researchers added.
In a statement provided to The Verge, Tesla said, “Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues.”
“The issue demonstrated is only triggered when the Web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot,” the company added. “Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.”
RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that just like healthcare and other verticals, the automobile industry is facing more and more risk. “While self-driving cars and connected systems offer a myriad of benefits for speed, efficiency and convenience, they also expose new attack vectors and present new vulnerabilities that elevate risk in the automotive industry,” he said. “Consequently, cars are becoming a leading target for cyber attacks.”
“Unlike MOST other industries, automotive risk posture is jeopardized by the fact that malware exploiting vulnerabilities carries real world consequences that can potentially endanger people’s lives,” Fantuzzi added. “As with any mission critical asset to a business, it’s now critical that the automobile industry double down on its vulnerability management practices, solutions and strategies to ensure these kinds of risks are minimized to the greatest extent possible.”
Earlier this week, the U.S. Department of Transportation issued a new Federal Automated Vehicles Policy for the safe testing and deployment of automated vehicles. The policy lays out a 15-point Safety Assessment that sets clear guidelines for manufacturers developing automated or self-driving vehicles.
Among the guidelines is one on Vehicle Cybersecurity, which includes the following: “Manufacturers and other entities should follow a robust product development process based on a systems-engineering approach to minimize risks to safety, including those due to cybersecurity threats and vulnerabilities. … The entire process of incorporating cybersecurity considerations should be fully documented and all actions, changes, design choices, analyses, associated testing and data should be traceable within a robust document version control environment.”
Last week, Volkswagen announced the formation of CYMOTIVE Technologies, a new automotive cyber security company, in cooperation with three Israeli experts. “The age of the connected car enables customers to use a variety of features inside modern vehicles,” the company said in a statement. “However, with increasing connectivity comes an increasing risk. Aspects such as intelligent and autonomous driving increase the number of interfaces in the vehicle and thus the risk of malicious attack.”