Until this week, a deranged mechanic could remotely hack and hijack a Tesla Model S car long after it left the shop.
There were computer flaws in the car’s software, according to two security researchers who plan to reveal their discoveries at the DEF CON hacking conference on Friday. They gave CNNMoney a preview of their findings.
Anyone with physical access to the inside of the Model S could infect it with malware that later gave them remote control of the car. A hacker could turn it off without warning, open doors or make the electronics display faulty information.
Moved by the findings, Tesla just issued a fix. Cars will automatically receive software updates over their existing wireless Internet connections on Thursday, the company said.
Tesla stressed that this particular hack required initial physical access to the inside of the car.
The researchers were Kevin Mahaffey, who co-founded the cybersecurity startup Lookout, and Marc Rogers, a security researcher at CloudFlare which protects websites from hacks.
The duo said they found half a dozen other flaws with the Model S. For instance, Tesla cars were using an outdated, four-year-old Web browser. That means it was susceptible to all sorts of known hacks that other browsers, like Google Chrome and Mozilla Firefox, have already fixed.
Heading to the wrong website could let the car get infected — giving hackers remote control of the car, Rogers explained. That’s because the sensitive instruments inside the car weren’t verifying that they were getting instructions from a legitimate source (for example, the brakes).
After accessing the car’s dashboard and loading it with malware, Mahaffey and Rogers took the Tesla to an empty parking lot in Los Angeles and sent remote commands to the car from an iPhone. Rogers was able to unlock the car’s doors pop open the trunk and (at extremely slow speeds) lurch the car to a halt while making everything inside go dark.
To Tesla’s credit, at high speeds, the command to shut the car off just put the vehicle in neutral and let the driver steer it to a safe spot.
Rogers said that, despite the flaws they found, Tesla is actually way ahead of all other car manufacturers. He called them proactive and very receptive to security advice.
“In the auto industry, that’s unusual,” Rogers said.
Cars are still mostly dumb on the inside — yet companies are rushing to slap Internet connectivity on them anyway. The end result is like having a smartphone on wheels, except it’s a device that’s incredibly susceptible to computer viruses — and travels at highway speeds.
“Modern cars have more in common with a laptop than they do with the Ford Model T,” Mahaffey stressed.
This flaw in Teslas is only the latest example. In July, Chrysler was forced to recall Jeeps and other models after researchers revealed Chryslers can be hacked over the Internet.