Security researchers from Tencent’s Keen Security Lab have done it again: they’ve found vulnerabilities in one of Tesla’s cars and demonstrated that they can be exploited remotely to do things like open the car’s doors and force it to break while in motion.
What’s more, they’ve also managed to bypass the code signing/signature checking mechanism Tesla introduced last year to make sure that their cars accept only firmware updates signed by the company.
The researchers discovered multiple zero-days in different car modules, ultimately affecting both the car’s CAN bus, which allows all the car’s microcontrollers to communicate with each other, and its Electronic Control Unit (ECU), which controls the car’s electrical system and subsystems.
They have demonstrated that, while the car is parked, they can make the car switch lights on an off, lower and raise windows, car seats, open and close the sunroof panel, and fiddle with the in-vehicle displays. Also, that they can make a moving car brake, open its trunk, and activate its windshield wipers – things that could lead to serious accidents and even loss of life if the travelling speed is high.
They have responsibly disclosed the vulnerabilities to the car maker, and Tesla has pushed out the needed security patches over the air in July.
“The reported issues affect multiple models of Tesla motors. Based on Tesla’s report, most of the active Tesla motors have been updated to new firmware with patches via FOTA [Firmware Over-The-Air],” the researchers noted.
Still, they urged Tesla car owners to check whether they have received firmware version 8.1 (17.26.0) or later, and if not, to force the update themselves.
Tesla is known for welcoming research of this kind and they’ve repeatedly proven to be quick to respond to disclosures of security issues, effectively setting an example for other automakers.
As a side note: the ICS-CERT has issued an alert last week about another vulnerability in the CAN bus protocol. That one can only be exploited by attackers who have physical access to the target car’s input port (typically ODB-II).