According to TechCrunch, a chain of vulnerabilities has been discovered by white hat hackers that could potentially give them remote access to a Tesla car’s infotainment system, allowing them to turn off lights, activate wipers, pop the trunk, and honk the horn.
Fortunately, Tesla owners need not worry, as these cybersecurity researchers were searching for vulnerabilities to patch out, and their findings won them a combined cash prize of $350,000 and a Tesla Model 3 at the Pwn2Own hacking competition in Vancouver.
The researchers were able to use a time-of-check to time-of-use attack (TOCTTOU) to gain access to the Tesla’s Gateway system, which manages energy consumption, and thereby gain access to some parts of the car. Additionally, they used an exploit to gain root access to the car’s infotainment system through its Bluetooth chipset, enabling them to execute arbitrary code.
Although this may sound alarming, it appears that the vulnerabilities are not catastrophic, as Tesla has stated that the hackers could not turn the car on or off or take control of the steering wheel. Nevertheless, one of the researchers remains skeptical about the extent of the vulnerabilities.
“[Tesla] said we wouldn’t be able to turn the steering wheel, accelerate or brake,” Eloi Benoist-Vanderbeken, a Synacktiv engineer, told TechCrunch. “But from our understanding of the car architecture we are not sure that this is correct, but we don’t have proof of it.”
Regardless, the researchers want to emphasize that they’re confident in their system that makes Tesla difficult to hack into though some improvements are still needed.
“It’s not at the point of a modern browser running on an iPhone or an Android, but it’s not that far from it,” Vincent Dehors, a cybersecurity engineer part of the Synacktiv team, told TechCrunch. “Tesla cars are really well connected to the internet, so they need to take care of security because they are likely to be targeted more than other cars.”
