Tesla, Hollywood's Favorite Eco-Car, Vulnerable to 'Speed'-Like Hijacking
Security experts expose weaknesses in Tesla's Model S and other eco-cars that could lead to a hijacking or worse.
This story first appeared in the Aug. 15 issue of The Hollywood Reporter magazine.
Organizers of the Syscan 360 security conference, which took place July 16 and 17 in Beijing, made a tantalizing offer: $10,000 to anyone who could hack into a Tesla Model S. They did not have to wait long: China-based Qihoo 360 Technology Co. quickly announced that its IT department had taken over a Tesla remotely and was able to turn on and off its headlights, open and close its sunroof, sound its horn and manipulate its locks -- all while the car was moving. (In March, a corporate security consultant and Tesla owner revealed that the Model S could be unlocked remotely and its location revealed by hacking a six-character password on a mobile app, which Tesla since has patched.)
The incidents have sent a chill through security experts as well as the Hollywood stars and executives who have turned the $70,000-and-up electric Teslas into must-have vehicles for the environmentally conscious. Such heavily computerized cars are vulnerable to attacks that could compromise steering, braking and acceleration. As cars become increasingly connected, say experts, the passwords and other defenses that protect their onboard computers must be made far more robust -- because once hackers penetrate deeply enough, it is not implausible to envision a real-life sequel to the 1990s Speed movies.
In a 2013 study, security experts Chris Valasek and Charlie Miller hacked into the software controlling a Toyota Prius and were able to command the car to slam on its brakes, turn off its headlights, disable its power steering or jerk its steering wheel sharply, as well as sound its horn continuously. Although their hack was performed by connecting a laptop to the car's data port, Valasek, director of vehicle security research at Seattle's IOActive, says it is possible to hack these and other functions remotely.
During a presentation Aug. 6 at the Black Hat USA security conference in Las Vegas, Valasek and Miller will demonstrate that "achieving such control is possible, depending on remote vulnerability [and] the ability to send messages to the proper computer in the car," Valasek tells THR. Cars with high-speed connectivity "baked in" to their infotainment systems, such as the Model S and the Audi A3, offer "another way for attackers to find a weakness and exploit it." (Valasek and Miller have developed a countermeasure that scans a car's computers for attacks and alerts the driver.)
A Tesla spokeswoman downplays the risk, telling THR, "We would like to assure all customers that our security and engineering teams are already working on updates that address these issues."