Just like any other Internet-connected device, any car with built-in two-way remote communication between it and the outside world has the potential to the victim of an unauthorised hacking attempt.
This week, that fact has been proven true with the claim that the Tesla Model S, unquestionably the most Internet-connected and remotely-connected car on the market today, has a major security flaw.
The claim reportedly comes from Chinese Internet security giant Qihoo 360, which claims that a software flaw in the Model S operating system makes it possible for hackers to remotely unlock a Tesla, control the horns, headlights, wipers and panoramic sunroof.
Announced on the company’s Sina Weibo account (a Chinese microblogging platform similar to Twitter and Facebook) on Tuesday, the security giant didn’t give too many details on the particular security flaw.
If your Chinese is about as fluent as ours, here’s a computerised translation of that message.
“Our safety performance Tesla recently conducted a series of tests and found that the certificate can be used to unlock the remote control of the vehicle, whistle, flash and so on. And can open the sunroof while driving the vehicle. Tesla owners recently to be careful when driving rain suddenly open sunroof, become a drowned rat . We will publish more on SyScan360 for everyone Madden, more interesting research results, uncover the mystery of Tesla break”
While there are no more details of the hack, it’s worth noting that the announcement from Qihoo 360 was timed the day before the official start to the 2014 SyScan +360 security conference. One of China’s biggest Internet security conferences, SyScan +360 is jointly organised by Qihoo 360. This year, the conference’s traditional hacking competition is awarding a $10,000 prize fund to the first team to successfully hack into a Tesla Model S.
Since then, Qihoo 360’s social media stream has been full of Tesla hack posts, with at least seven of the white hat teams at the time of writing figuring out how to gain API access through reverse engineering methods.
“There are already seven teams get Tesla Apk analysis application code information through reverse, scoring 100 points, respectively,” the company said on Sina Weibo earlier today, while the next post simply says “Tesla crack contest is being carried out, the current team has analyzed the key yo radio signal band!”
While the contest hasn’t concluded yet, we think it’s fair to say that any obvious flaws in Tesla’s extensive software and hardware security system have now been well and truly exposed, giving Tesla — and hopefully the security experts who discovered them — plenty of information to patch them before less well-intentioned hackers figure what the flaws are. It’s also worth noting that discovering the flaws — and exploiting them — are two very different things.
As for Tesla? While not supporting the conference or competition in any way, the Californian automaker is keen to work alongside those who discovered the flaws to retain the best possible security for its customers and their cars.
“While Tesla is not associated with the conference and is not a sponsor of the competition, we support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” Tesla said yesterday in an official response to the news of the early security breaches. “We hope that the security researchers will act responsibly and in good faith.”
We’ll keep following the contest to its conclusion, and keep you up to date with any developments in this very scary — and very real — story. But we think it’s also prudent at this point to reiterate the point we made at the top of this article.
Be it a computer, a car, or a Internet-connected light switch, the act of linking one computerised system to another using a network connection always induces a degree of vulnerability. The challenge for Tesla and other automakers is to respond as quickly and efficiently as any other software producer in the world, because at the end of the day, all modern automakers are software companies too.
You can also support us directly as a monthly supporting member by visiting Patreon.com.