A team of security researchers from China have remotely hacked into a brand new Tesla Model S, controlling its sunroof, lights, boot and even the brakes from a laptop several miles away.
Thankfully, Keen Security Lab, a division of the Chinese internet company Tencent, are 'white hat' hackers, who have only made the exploit public now that Tesla has fixed the problem worldwide with an over-the-air software update.
The hack, shown off in a YouTube video, requires the car to connect to a malicious Wi-Fi hotspot. The team then demonstrates how a driver searching for nearby charger stations online (after connecting to the network) opens the back door for hackers to break into the Tesla's software. Once remote access to the car has been established, the hackers are then able to control various features, including the brakes, while the car is moving.
Potential hackers could also have used this exploit, before it was patched by Tesla, to unlock the doors, take over control of the dashboard computer screen, open the boot, move the seats and activate the indicators, as well as fold in the wing mirrors while the car is being driven. The most alarming aspect, of course, is how the brakes can be applied without the driver's involvement.
Thankfully, the flaw was disclosed to Tesla in private and the company fixed the issue within 10 days. A software update was sent out to all cars to remove the vulnerability from their software, and only then did Keen Security Lab go public with their discovery.
But the very fact this hack took place has raised alarm bells in the cyber security world. Brian Spector, CEO of cyber security firm Miracl, said: ""These hacks demonstrate the serious problems around identity verification in today's connected cars. Having very limited encryption, identity management and data protection within such a powerful computer is extremely dangerous and poses a real and serious threat to everyone using our roads today."
Moving forward into a world of autonomous cars, Spector said: "The potential fallout from this lack of authentication becomes even more frightening."
In a statement sent to US media, Tesla said: "The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly ... We commend the research team behind today's demonstration and plan to reward them under our bug bounty programme, which was set up to encourage this type of research."
110 Reykjavik, Iceland