Tesla patches exploit that left Model S potentially vulnerable to remote access

Tesla moved quickly to patch a vulnerability discovered by Tencent security research team Keen Security Lab that rendered the Model S susceptible to remote attacks, provided the Tesla Model S was currently making use of its in-car web browser, and also physically close to and connected with a maliciously modified Wi-Fi hotspot.

Keen’s security team had been focusing on Tesla vehicles over the course of several months, and were able to combine a number of security vulnerabilities in order to achieve the exploit they demonstrated, which allowed them to remotely gain control of the vehicle to trigger things including the turn signal, the sun roof, the seat position and unlock the doors while the vehicle is parked.

When in motion, the exploit allowed the researchers to control the vehicle’s wiper blades, fold in the driver- and passenger-side rearview mirrors, open the trunk, and even bring the vehicle to a stop.

Keen Security Lab reported the vulnerabilities to the Tesla security team prior to discussing it publicly, and Tesla moved quickly to patch the exploit vector, issuing an over-the-air software update that’s available now to Model S owners within two weeks of receiving Keen’s report. Here’s the statement Tesla provided on the issue and the fix:

Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.

We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.

Model S owners can, and are encouraged to update their vehicle firmware as soon as possible, but as noted in the release, if it’s going to be a while before you can properly install the update, in the meantime as long as you avoid connecting to any suspicious open Wi-Fi networks and/or avoid using your browser, you won’t be at risk.