Security researchers claim to have been able to hack into the navigation system of a Tesla Model 3, getting the vehicle to turn itself on.
In early June, security specialists from Regulus conducted a test drive of the vehicle using its autopilot feature and discovered a potentially lethal security flaw.
Tesla Model 3 was successfully spoofed in several attack scenarios
The researchers claimed that current versions of this feature enable drivers to “waive the confirmation requirement if they choose” and that, as a result, the car can “activate the turn signal and start turning on its own”.
“Tesla Model 3 was successfully spoofed in several attack scenarios. The navigate on autopilot feature is highly dependent on GNSS [Global Navigation Satellite System] reliability and spoofing resulted in multiple high-risk scenarios for the driver and car passengers,” claimed the researchers.
According to Regulus, other effects included “extreme deceleration and acceleration, rapid lane changing suggestions, unnecessary signaling, multiple attempts to exit the highway at incorrect locations and extreme driving instability”.
This research doesn’t demonstrate any Tesla-specific vulnerabilities, that hasn’t stopped us from taking steps to introduce safeguards
They went on to claim that the test proves “beyond doubt the crucial dependence on GNSS for any level 2+ autonomous navigation and the high threat spoofing poses to drivers and passengers utilizing these features”.
During the Tesla 3 experiment, the researchers mounted a spoofing antenna on the car’s roof to simulate an outside attack and see if the car could isolate against the spoofing.
They continued: “This is the typical case in which an external attacker would try to influence the car. This was also done to prevent the spoofing from affecting any nearby cars or other GNSS receivers.”
Yoav Zangvil, CTO and co-founder of Regulus, warned that GNSS spoofing is a growing threat to advanced driver-assistance systems (ADAS) and autonomous vehicles.
“Until now, awareness of cybersecurity issues with GNSS and sensors has been limited in the automotive industry,” said Zangvil.
“But as dependency on GNSS is on the rise, there’s a real need to bridge the gap between its tremendous inherent benefits and its potential hazards.
“It’s crucial today for the automotive industry to adopt a proactive approach towards cybersecurity.”
After Regulus reported its research findings to Tesla, its Vulnerability Reporting Team responded: “Any product or service that uses the public GPS broadcast system can be affected by GPS spoofing, which is why this kind of attack is considered a federal crime.
“Even though this research doesn’t demonstrate any Tesla-specific vulnerabilities, that hasn’t stopped us from taking steps to introduce safeguards in the future which we believe will make our products more secure against these kinds of attacks.”
Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.
Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?