Cyber security researchers have found six significant flaws in Tesla’s Model S cars that could allow hackers to take control of the vehicles and have safety implications for drivers.
Kevin Mahaffey, chief technology officer of Lookout, and Marc Rogers, principal security researcher at Cloudflare, said they decided to try to hack a Tesla because the company has a better reputation for understanding software than most automakers.
But the so-called “white hat” hackers, who probe internet-connected devices to try to push companies to improve security, still found vulnerabilities.
The hack on the Tesla car, to be detailed on at the cyber security conference Def Con in Las Vegas on Friday, is the latest in a series of vulnerabilities discovered in connected cars. One high-profile case led Fiat Chrysler to recall 1.4m of its Jeep Cherokees last month.
The hackers had to physically access the Tesla first, which made it more difficult than many other hacks. Once they were connected through an Ethernet cable, they were later able to access the systems from afar.
This allowed them to take control of the screens. They were able to manipulate the speedometer to show the wrong speed, lower and raise the windows, lock and unlock the car and turn the car on or off.
“We shut the car down when it was driving initially at a low speed of five miles per hour. All the screens go black, the music turns off and the handbrake comes on, lurching it to a stop,” said Mr Rogers.
But when the researchers experimented with hacking the car at a higher speed, Tesla safety measures ensured they could not put the handbrake on. Instead, all the screens went blank, the car dropped to neutral and the driver maintained full control of the steering, giving them the opportunity to drive to the side of the road.
Tesla is issuing a patch to fix the flaws that all drivers will have by Thursday. The company said drivers will be able to download the updates via wifi or a cellular connection.
This was another key safety feature that earned Tesla praise from the security researchers. Many carmakers did not have the ability to automatically send software updates to cars without drivers having to take the car to a dealership or mechanic.
Mr Mahaffey called on every car company to create an “over the air update” process, to install strong separation between the internet-connected entertainment network and the systems that control driving and ensure strong security on each element of the car.
He warned that “the internet is a hostile place for the uninitiated”, such as carmakers that have little experience with online security.
“They tend to look at their peers and they all do what each other is doing,” he said. “If no one has done a great job with security they are jumping off a cliff swiftly to their doom.”
Copyright The Financial Times Limited 2015. You may share using our article tools.
Please don’t cut articles from FT.com and redistribute by email or post to the web.