Tesla Model S owners, take heart: Hack requires physical access to car's onboard computer

Tesla issues an over-the-air update after security researchers hack the car via its entertainment system.

Don Reisinger
Former CNET contributor Don Reisinger is a technology columnist who has covered everything from HDTVs to computers to Flowbee Haircut Systems. Besides his work with CNET, Don's work has been featured in a variety of other publications including PC World and a host of Ziff-Davis publications.
Don Reisinger
3 min read

Tesla's Model S can be hacked -- kinda. Tesla

File this one under hacks that are technically possible -- but may be more trouble than they're worth.

Two security researchers have discovered a way to hack a Tesla Model S and bring the vehicle to a stop. However, the hack requires physical access to the inside of a Model S, making it difficult for any malicious hackers to pull off.

Kevin Mahaffey and Marc Rogers, security experts with Lookout and cloud-based services provider Cloudflare, respectively, found six vulnerabilities in the Tesla Model S, Mahaffey said in a post Thursday. These vulnerability let the researchers -- with initial physical access to the car's internal computer -- gain control of the infotainment system in a Model S and perform "any action accessible to the center touch screen or Tesla's smartphone app." In one case, Mahaffey said, the researchers were able to turn off the car while it was driving.

They plan to detail their research at the Defcon hacker conference in Las Vegas, Nevada.

Tesla, which has committed to ongoing security checks, said on Thursday that a patch for the vulnerabilities identified by Mahaffey and Rogers has already been sent to all vehicles via an over-the-air update.

"Our security team works closely with the security research community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating, and updating our safeguards," a spokeswoman said. "Lookout's research was a result of physically being in Model S to test for vulnerabilities. We've already developed an update for the vulnerabilities they surfaced which was made available to all Model S customers through an OTA update that has been to deployed to all vehicles."

This hack of a Tesla Model S is just the latest in a string of high-profile electronic attacks on connected cars, raising concerns about vehicle cybersecurity. Cars are no longer standalone devices; they are part of the Internet of Things, the concept of using sensors and other tech to connect everyday items to the Web. This means cars can be as vulnerable as computers or smartphones to hacks, but with greater consequences.

One of the more troubling car hacks was revealed in July by security researchers working with Wired Magazine. They were able to remotely disable a Jeep Cherokee while it was being driven via a bug in the car's Uconnect system, which lets smartphone users communicate with certain Fiat Chrysler cars over the Internet using Sprint's network. Unlike the Tesla hack, it did not require any physical access to the vehicle. After the hack was publicized last month, Fiat Chrysler recalled 1.4 million affected cars and trucks -- the first cybersecurity recall in the vehicle industry.

Hacks of connected cars have also started to catch the attention of the general public. A study from Kelley Blue Book released on August 3 found that 71 percent of respondents were aware of the Jeep Cherokee hack and 41 percent said that they believe the recent hacking incidents will stick in their minds when shopping for their next vehicle. A third of those respondents said that they view car cyber attacks as a "serious" problem.

The Tesla hack required some serious legwork -- including physical access to a vehicle in order to connect a laptop to its onboard computer -- from Mahaffey and Rogers to truly take over the car. However, the researchers were eventually able to turn off the car while it was driving, which at low speeds will bring it to an immediate stop. If a Model S is going above five miles per hour, the car "shuts off its engine -- just like shifting a gasoline car into neutral -- while still providing the driver full control over steering and brakes so they can safely bring the car to a stop," Mahaffey wrote.

Tesla's efforts at security haven't been overlooked. Mahaffey said that even though the Tesla suffered from some security flaws, it's the most security-focused company on the market.

"Our research confirmed that Tesla indeed made a number of excellent security decisions in the design of Tesla Model S," Mahaffey wrote. "It also, however, has a number of areas where we believe Tesla can improve. Overall, I feel more secure driving in a Tesla Model S than any other connected car on the road."

Correction at 6:30 a.m. PT August 12: A misspelling in one instance of Kevin Mahaffey's name has been fixed.