Tesla: Model S software update will patch flaws exposed by hackers

Researchers took control of a Tesla Model S electric car and switched it off while the car was running at low speeds. Tesla has already issued a patch, the company said, and all Tesla owners will be able to update their cars today. 

A Tesla vehicle is parked at a charging station outside of the Tesla factory in Fremont, Calif.

Jeff Chiu/AP/File

August 6, 2015

Fiat Chrysler Automobiles has come under intense public scrutiny after a pair of hackers took control of a Jeep Cherokee remotely through its Uconnect infotainment system and disabled certain features, including its brakes and transmission.

Publicity around that vulnerability quickly led the company to recall 1.4 million vehicles for a fix, under strong pressure from the National Highway Traffic Safety Administration (NHTSA).

Now, it's Tesla's turn.

According to a report in Britain's Financial Times, two hackers will explain tomorrow at the DefCon conference in Las Vegas how they took control of a Tesla Model S electric car and switched it off while the car was running at low speeds.

The article says that a pair of "white-hat" researchers--Kevin Mahaffey, chief technology officer of Lookout, and Marc Rogers, principal security researcher at Cloudflare--identified a collection of six security flaws that permitted the hack.

They decided to target Tesla, they said, because of its reputation as a software-centric company--which might mean its software would be less vulnerable than that of legacy automakers.

 As it turned out, Tesla's Silicon Valley origins were apparently not enough to produce entirely secure vehicle control software.

White-hat hackers are those who search for security flaws in order to push companies to fix them and focus more intently on preventing such flaws in the future.

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

They contrast to "black-hat" hackers whose goals are malicious, destructive, and sometimes criminal.

Mahaffey and Rogers acknowledged that they first had to gain physical access to the Tesla in order to accomplish their hack, requiring a physical connection via Ethernet cable that then allowed them to access the Model S remotely. 

According to the FT, the pair was able to "manipulate the speedometer to show the wrong speed, lower and raise the windows, lock and unlock the car and turn the car on or off."

At low speeds--5 mph or less--they were able to shut the car down, which turned all the instruments and displays black and engaged the emergency brake--dragging the car to a stop.

At speeds higher than that, however, while the screens went blank and the car's electric drive disengaged, the Tesla continued to offer power steering to the driver, who could steer it safely to the roadside.

Tesla has already issued a patch, the company said, and all Tesla owners will be able to update their cars by today (Thursday, August 6, 2015).

The researchers complimented Tesla for being able to update its control software so quickly via its unique "over-the-air software update" capability, built into all Model S cars since the start of production in June 2012.

Vehicles built by conventional carmakers do not offer that ability; they must be brought into the dealer to change their software, with a few makers offering an exception for non-critical updates to infotainment systems that owners can install via USB drive.

UPDATE: Green Car Reports reached out to Tesla Motors, which provided the following comment:

Our security team works closely with the security research community to ensure that we continue to protect our systems against vulnerabilities by constantly stress-testing, validating, and updating our safeguards. Lookout's research was a result of physically being in Model S to test for vulnerabilities.

We've already developed an update for the vulnerabilities they surfaced which was made available to all Model S customers through an over-the-air update that has been to deployed to all vehicles.