Security researchers from Chinese security firm Tencent Keen Security Lab have found and helped fix several vulnerabilities in Tesla Model X cars that would have allowed an attacker to control the vehicle from a remote location.
Keen Lab experts were able to control a stationary car's lights, in-vehicle displays, and open its doors and trunk. While in motion, researchers were also able to force the car to brake, potentially putting passengers at risk of injury.
In September 2016, the same researchers also hacked a Tesla Model S in a similar fashion. For the 2016 hack, researchers were able to gain control over more car functions. For example, while in parking mode, researchers were able to control a stationary car's lights, windows, car seats, sunroof panel, and in-vehicle displays. With the car in motion, Keen Lab experts were able to force the car to brake, open its trunk, adjust side-view mirrors, and activate the windshield wipers.
Improvements in Tesla firmware made the Model X harder to crack, but Keen Lab experts said they were still able to discover multiple zero-days in different car modules that allowed them to take control over the vehicle's CAN BUS and ECU (Electronic Control Unit).
These two are crucial components. The CAN BUS is a module that interconnects all of the car's internal components, while the ECU is an embedded system that controls the electrical system or subsystems in a transport vehicle.
In addition, Keen Lab experts say they managed to bypass Tesla's firmware code signing system that the company set up after their 2016 hack. Putting all these flaws together, researchers were able to install new firmware on a Model X and run custom commands.
Researchers put together a video to demonstrate their findings. The video ends in an impressive fashion with two Tesla Model X models putting on a coordinated light show synchronized to a song's beats.
Tesla addressed all reported issues in firmware update 8.1 (17.26.0) released in June. Researchers published their findings after most cars received the update via the car's FOTA (Firmware Over-The-Air) update system.
"By working closely with this research group following their initial findings last year, we responded immediately upon receiving this report by deploying an over-the-air software update (v8.1, 17.26.0+) that addresses the potential issues," a Tesla Motors spokesperson told Bleeping Computer today in an email. "While the risk to our customers from this type of exploit is very low and we have not seen a single customer ever affected by it, we actively encourage research of this kind so that we can prevent potential issues from occurring."
"This demonstration wasn’t easy to do, and the researchers overcame significant challenges due to the recent improvements we implemented in our systems. In order for anyone to have ever been affected by this, they would have had to use their car’s web browser and be served malicious content through a set of very unlikely circumstances," Tesla Motors added. "We commend the research team behind this demonstration and look forward to continued collaboration with them and others to facilitate this kind of research."
Below is the video from Keen Lab's 2016 Tesla Model S hack.
Article updated with Tesla Motors' comments.