Chinese researchers from Tencent hacked a Tesla model once again

Security researchers from Chinese firm Tencent have once again demonstrated how to remotely hack a Tesla Model vehicle. Once the experts reported the flaws to the car makers it promptly patched them.

In a video PoC of the attack, researchers at Tencent’s Keen Security Lab demonstrated how they could hack a Tesla Model X, both while it was on the move and parked.

The attack is disconcerting, the hackers took control of the brakes, sunroof, turn signals, displays, door locks, windshield wipers, mirrors, and the trunk.

Tesla fixed the flaws and claimed that they were not easy to exploit.

The experts in response published a new blog post claiming they’ve hacked a Tesla Model X via a Controller Area Network (CAN bus) and Electronic Control Unit (ECU) attack.

“Keen Lab discovered new security vulnerabilities on Tesla motors and realized full attack chain to implement arbitrary CAN BUS and ECUs remote controls on Tesla motors with latest firmware.” reads the post.

“Several highlights for 2017 Tesla Research:

• Realized full attack chain as we did in year 2016 to implement arbitrary CAN BUS and ECUs remote controls.
• Discovered multiple 0Days in different modules. Currently, Keen Lab is working with Tesla and related manufactures on assigning CVE number of the vulnerabilities.
• Tesla implemented a new security mechanism “code signing” to do signature integrity check of system firmware that will be FOTAed to Tesla motors in Sept 2016. The code signing was bypassed by Keen Lab.
• The “Group lighting show of Model X” in our demonstration is technically arbitrary remote controls on multiple ECUs at the same time. It shows Keen Lab’s research capability on CAN BUS and ECUs.“

The experts noticed Tesla had implemented new security measures, such as the signature integrity check for its firmware, since their previous attack.

The researchers successfully bypassed the new security mechanisms in a new attack.

The video PoC shows the experts remotely unlocking the doors and trunk in parking mode, control the brake on the move and much more by taking control of multiple ECUs.

Tesla with the help of the researchers patched the vulnerabilities with version v8.1, 17.26.0 or above that was distributed to the vehicle in circulation over-the-air (FOTA upgrade firmware) update.

“The problems found in this study affect the sale of Tesla models and sales models, according to the Tesla security team’s report, the vast majority of the world’s Tesla vehicles have been successfully upgraded through the FOTA system firmware to ensure that Tesla users driving safety. We once again thank the Tesla security team for quick response and quick fix.” states the post published by Tencent.

Different the position of Tesla, a company spokesman tried to downplay the attack:

“While the risk to our customers from this type of exploit is very low and we have not seen a single customer ever affected by it, we actively encourage research of this kind so that we can prevent potential issues from occurring,” a Tesla spokesperson told SecurityWeek.

“This demonstration wasn’t easy to do, and the researchers overcame significant challenges due to the recent improvements we implemented in our systems,” they added. “In order for anyone to have ever been affected by this, they would have had to use their car’s web browser and be served malicious content through a set of very unlikely circumstances. We commend the research team behind this demonstration and look forward to continued collaboration with them and others to facilitate this kind of research.”

In November 2016, a group of security experts from security firm Promon has demonstrated how to exploit the Tesla app (for both Android and iOS) to locate, unlock and steal a Tesla Model S. The hackers used a laptop to remotely control the vehicle as demonstrated in the following video PoC.