Chinese researchers announced Monday that they had discovered security vulnerabilities in the Tesla Model S that allowed them to take over the vehicle’s brakes and more without laying a finger on the car.
While other researchers have hacked into Tesla vehicles, this appears to be the first time researchers were able to do so remotely — highlighting the security risks of the sophisticated software and online features now being built into vehicles.
A video posted by the researchers from Tencent’s Keen Security Lab appears to show them controlling the vehicle's brakes, as well as manipulating its side mirrors, running the windshield wipers and popping the trunk while the car is in motion. The researchers were also able to manipulate some other features while the vehicle was parked, including opening the sunroof, controlling some of the vehicle’s lights and unlocking the doors, according to the video.
You can watch the full demonstration in the video below:
In a blog post, the researchers wrote that they reported the vulnerabilities to Tesla, and the company confirmed the hack. The researchers only tested out their method on “multiple varieties of Tesla Model S,” but said that it’s “reasonable to assume that other Tesla models are affected."
Tesla said in an emailed statement that it "deployed an over-the-air software update" to fix the problem within 10 days of being informed about the bug. The company said the vulnerabilities that Keen Security Lab uncovered would only be accessible under a very specific circumstance: when the vehicle’s Web browser was in use and the car was connected to a malicious WiFi hotspot.
“Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” the Tesla statement said.
Tesla plans to reward the researchers under its bug bounty program, according to the statement. Tesla was the first automaker to roll out such a program, which offers cash rewards to independent researchers who help the company uncover problems in its software. The company pays up to $10,000 per bug.
While this seems to be the first remote hack against a Tesla vehicle, researchers have found ways to remotely take over vehicles offered by other manufacturers. Most notably, in 2014 researchers Charlie Miller and Chris Valasek demonstrated that they could remotely control a Jeep Cherokee.