Security Researchers Hack a Tesla Model S, Expose Vulnerabilities

Two security researchers have discovered a way to manually hack Tesla’s Model S by plugging in their laptop to an Ethernet port located in the dashboard. The duo are expected to reveal and discuss vulnerabilities found from nearly two years of research, at the Def Con hacker conference on Friday in Las Vegas, reports Wired.

Tesla cars are some of the most secure and advanced vehicles in the world. They run on electricity, are immune to being hot-wired under the hood or by the dashboard of the vehicle. Fundamentally, Tesla vehicles are likely to be the most connected automobiles on the planet and yet among the best protected from digital attacks.

Marc Rogers, chief security researcher for CloudFlare and Kevin Mahaffey, co-founder and the chief technology officer or mobile security firm Lookout discovered the Tesla Model S to be more secure than most vehicles and had praise for the luxury car.

The plugged-in hack

Unperturbed, the duo were able to find vulnerabilities in the model S by ripping apart the vehicle, quite literally, by dismantling the dashboard to find an Ethernet port that plugs in directly to the CAN bus (Controller Are Network) of the Model S. The CAN bus is the nerve center where car data is sent and received, making it a vital part of the vehicle.

Once plugged in, the researchers found a hijack that took advantage of four different vulnerabilities, enabling them to access the infotainment systems and the on-board touchscreen used to control features and functions in the Model S.

“We took a bunch of relatively innocuous vulnerabilities you wouldn’t think very much about and by chaining them together and by using each one of them to leverage our ability to gain a bit more access, we were able to go deeper and deeper and deeper into the car until eventually we gained full control of the entertainment system…. Stringing all of these together was enough for us to gain user-level access and then ultimately superuser level access to the infotainment systems,” said Rogers.

The researchers made the following discoveries:

  • With the manual plug-in, the car could be started with a software command initiated by the laptop.
  • The duo could plant a remote-access malicious Trojan which enables a hacker to remotely shut off the targeted vehicle’s engine when someone else was driving it.
  • Car windows could be open and shut, the vehicle’s suspension was also vulnerable, allowing the researchers to lower and raise them.
  • Crucially, the researchers were also able to shut off the power to the car, killing it effectively.

The vulnerabilities highlighted by the researchers joins the ranks of a spate of cyber-attacks targeting consumer cars and vehicles vulnerable to hacking, raising concerns of cybersecurity in vehicles. Less than a month ago in July, two hackers were able to remotely control and gain complete access to a Jeep Cherokee, prompting Fiat Chrysler to issue a formal recall of 1.4 million vehicles in total.