That’s not good.
Good Guys, Bad Hack
Hackers have discovered a chain of vulnerabilities that could allow them to remotely break into a Tesla, granting control over its infotainment system and letting them to turn off lights, pop the trunk, activate wipers, and even honk the horn, TechCrunch reports.
Tesla owners can breathe easy for the time being, though, because the hackers in question were white hats, or cybersecurity researchers that poke and prod for vulnerabilities in a system so they can be patched out.
The findings of the researchers, who work for the security firm Synacktiv, won them a heap of big prizes at the Pwn2Own hacking competition in Vancouver, taking home a cool $530,000 and the very Tesla Model 3 they managed to hack into.
Safe For Now
One of the exploits they used was what’s known as a time-of-check to time-of-use attack, or TOCTTOU, to gain access to the Tesla’s Gateway system that manages its energy consumption. This is what the researchers say allowed them to more or less control portions of the car, like lights or doors.
Another exploit in their arsenal was an attack on the Tesla’s Bluetooth chipset that gained them root access to the car’s infotainment system, essentially allowing them to execute whatever code they’d want.
That sounds bad, and it is. But from what we can tell, the vulnerabilities they discovered aren’t outright catastrophic, as the most crucial systems remain sacrosanct. Tesla says the vulnerabilities wouldn’t allow hackers turn the car on or off, for instance, or take control of the steering wheel.
At least one of the researchers isn’t completely convinced, however.
“[Tesla] said we wouldn’t be able to turn the steering wheel, accelerate or brake,” Eloi Benoist-Vanderbeken, a Synacktiv engineer, told TechCrunch. “But from our understanding of the car architecture we are not sure that this is correct, but we don’t have proof of it.”
The Exception
Still, the researchers wanted to emphasize that they think Tesla has done well to make their systems difficult to hack into — though clearly, there’s some room for improvement.
“It’s not at the point of a modern browser running on an iPhone or an Android, but it’s not that far from it,” Vincent Dehors, a cybersecurity engineer part of the Synacktiv team, told TechCrunch. “Tesla cars are really well connected to the internet, so they need to take care of security because they are likely to be targeted more than other cars.”
More on Tesla: Elon Musk Apparently Made a Stupid Engineering Decision That’s Kneecapped Tesla’s Self-Driving Promises