Tesla Model S Well and Truly Hacked By Chinese Security Experts

Just like any other Internet-connected device, any car with built-in two-way remote communication between it and the outside world has the potential to the victim of an unauthorised hacking attempt.

Hacked: a security contest in China has laid bare some of Tesla's security flaws in the Model S software.

Hacked: a security contest in China has laid bare some of Tesla’s security flaws in Tesla Model S software.

This week, that fact has been proven true with the claim that the Tesla Model S, unquestionably the most Internet-connected and remotely-connected car on the market today, has a major security flaw.

The claim reportedly comes from Chinese Internet security giant Qihoo 360, which claims that a  software flaw in the Model S operating system makes it possible for hackers to remotely unlock a Tesla, control the horns, headlights, wipers and panoramic sunroof.

Announced on the company’s Sina Weibo account (a Chinese microblogging platform similar to Twitter and Facebook) on Tuesday, the security giant didn’t give too many details on the particular security flaw.

The message where Qihoo claims the Model S has a major security flaw

The Sina Weibo message where Qihoo 360 claims the Model S has a major security flaw

If your Chinese is about as fluent as ours, here’s a computerised translation of that message.

Our safety performance Tesla recently conducted a series of tests and found that the certificate can be used to unlock the remote control of the vehicle, whistle, flash and so on. And can open the sunroof while driving the vehicle. Tesla owners recently to be careful when driving rain suddenly open sunroof, become a drowned rat [Laughing]We will publish more on SyScan360 for everyone Madden, more interesting research results, uncover the mystery of Tesla break”

While there are no more details of the hack, it’s worth noting that the announcement from Qihoo 360 was timed the day before the official start to the 2014 SyScan +360 security conference. One of China’s biggest Internet security conferences, SyScan +360 is jointly organised by Qihoo 360. This year, the conference’s traditional hacking competition is awarding a $10,000 prize fund to the first team to successfully hack into a Tesla Model S.

Since then, Qihoo 360’s social media stream has been full of Tesla hack posts, with at least seven of the white hat teams at the time of writing figuring out how to gain API access through reverse engineering methods.

“There are already seven teams get Tesla Apk analysis application code information through reverse, scoring 100 points, respectively,” the company said on Sina Weibo earlier today, while the next post simply says “Tesla crack contest is being carried out, the current team has analyzed the key yo radio signal band!”

Screen Shot 2014-07-17 at 09.42.20

While the contest hasn’t concluded yet, we think it’s fair to say that any obvious flaws in Tesla’s extensive software and hardware security system have now been well and truly exposed, giving Tesla — and hopefully the security experts who discovered them — plenty of information to patch them before less well-intentioned hackers figure what the flaws are. It’s also worth noting that discovering the flaws — and exploiting them — are two very different things.

As for Tesla? While not supporting the conference or competition in any way, the Californian automaker is keen to work alongside those who discovered the flaws to retain the best possible security for its customers and their cars.

“While Tesla is not associated with the conference and is not a sponsor of the competition, we support the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” Tesla said yesterday in an official response to the news of the early security breaches. “We hope that the security researchers will act responsibly and in good faith.”

We’ll keep following the contest to its conclusion, and keep you up to date with any developments in this very scary — and very real — story. But we think it’s also prudent at this point to reiterate the point we made at the top of this article.

Be it a computer, a car, or a Internet-connected light switch, the act of linking one computerised system to another using a network connection always induces a degree of vulnerability. The challenge for Tesla and other automakers is to respond as quickly and efficiently as any other software producer in the world, because at the end of the day, all modern automakers are software companies too.


Want to keep up with the latest news in the world of evolving transport? Don’t forget to follow Transport Evolved  on Twitter, like us on Facebook and G+, and subscribe to our YouTube channel.


Want to keep up with the latest news in evolving transport? Don’t forget to follow Transport Evolved on Twitter, like us on Facebook and G+, and subscribe to our YouTube channel.

You can also support us directly as a monthly supporting member by visiting Patreon.com.

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInDigg thisShare on RedditEmail this to someonePin on Pinterest

Related News

  • Surya

    No real surprise. But if the only things they can do is turn on the lights and open the sunroof, I’d say it’s not too bad (for now)

    • u010eakujem

      Unless it’s raining. At night! 😀

    • Michael Thwaite

      Yeah, this is really the equivalent of the 80’s center punch to the side window… Don’t leave stuff in your car.

  • Dennis Pascual

    Based on the capabilities of the attack, it would seem like the flaw was discovered with the same API that users of prune Google Glass App, VisibleTesla, the Chrome Add In or any other API based app at mimics the Model S Telematics Apps (for iOS or Android.). I wonder if Tesla will roll out a new authentication and forcibly revoke all access until users re-authenticate their apps. nnAdditionally, the hackers could have gotten access to End User account usernames and passwords…

    • Christian G

      If it was just a Username/Password hack it’s not a big deal. But sure, if Tesla comes up with additional authentication methods all the better. The findings the a whole lot more interesting if they really found a flaw in the API and accessed the functions without the username/password

  • Jim, nnnYou’ll note that we avoided adding the July 4th incident to our story today. That’s because at the time of writing, we don’t have any evidence to support one theory or another. And since there’s still an ongoing investigation into the matter, we think it’s the best thing to do, at least until the relevant authorities have finished with the investigation. nnWe suggest that you may want to consider doing the same thing. In the meantime, if you’ve got security related data to discuss, please share!

    • vdiv

      You seem to have a few things confused. Can you give us an example of the alleged speculations that were not explicitly called as such? You seem to be eager to slander Nikki. You seem to be an anti-Tesla fanboi, you know as the sword swings the other way too.nnnFeel free to start your own website, do your own research, and post your own findings, and let’s see how much following you will get.nnnIn the mean time your demeanor is really not appreciated here.

      • vdiv

        The fact is if you don’t like what Nikki or anyone else here has to say you can close the browser and be on your merry way. And seek some help while at it.

    • Hi Jim, nnnWe have no vested interest in Tesla — nor in any other automaker. In fact, none of our editorial team have shares in any automakers. nnAs I’ve previously said, we’ll be happy to discuss any evidence you have for your claims, but if you have none, it’s probably best not making them. nnSafety concerns are a big issue for every automaker, and Tesla is no more or less under threat than any other Internet-connected car. nnAs I’m sure you’ll realise, it’s corporate policy for most automakers to refrain from public comment until all the facts have been properly ascertained. I’m sure the same is true here.

      • Esl1999 .

        I woke this morning with bated breath to see your responses to my comments only to find you’ve succumbed to a troll. I’m very disappointed. Maybe, Bjorn-don’t call us, we’ll call you-Nyland may have been right after all. nHey, this trolling thing is, kind of, fun.

    • Kate Gordon-Bloomfield

      I believe that Professor Elemental has something to say about this. https://www.youtube.com/watch?v=F8DGFh0aNKI

  • Gaskilla

    My question is how do you identify an individual Tesla to hack into? You need a username to hack a password so unless they hacked into Tesla’s customer database I don’t see how this is useful. It sounds like they hacked the tesla app on someone’s phone.