Last week, a 19-year-old independent cyber security researcher revealed how he could control over 100 Tesla vehicles around the world by exploiting a security flaw in a third party app linked to the electric carmaker’s application programme interface (API). This, however, is hardly the first time that a security exploit has shown how connected cars could be at fatal risk in the hands of malicious hackers, one day.
According to a report, independent security researcher David Colombo found a flaw in an undisclosed third-party app, which a number of Tesla car owners use around the world. By exploiting this flaw, Colombo could execute a number of remote features – disabling the ‘Sentry Mode’ security feature that uses cameras aboard the car to alert owners of theft or damage attempts, unlocking the doors, controlling the in-car playback volume and keyless initiation of the car.
While he couldn’t control the car’s steering, acceleration and braking, the incident still signifies a key security threat to connected cars. It’s also hardly the first time that such an incident has taken place – and not a first for Tesla, either.
In 2016, China’s Tencent Group’s Keen Labs could chain together multiple vulnerabilities to hack the Tesla Model S – both when it was parked, and while it was moving. In 2015, a group of security researchers, as part of an experiment with Wired, could take over full control of a Jeep SUV moving at over 110 kilometres per hour – including its air conditioning, infotainment system and all driving controls.
In 2019, a security report by a non-profit organisation, Consumer Watchdog, had stated that the lack of integrating security from the ground level and applying retrofitted features is a big reason for security gaffes in connected cars. This, coupled with third-party integrations, has served as a big reason behind cyber attackers exploiting vulnerabilities.
The latest Tesla hack also showed something similar, where the third party app that integrates Tesla’s API failed security validations – thereby giving remote controls to anyone who knows how and where to look. In the hands of the wrong person, this could be exploited to a fatal effect beyond just theft.
Tesla has not issued a statement on the hack, although Colombo clarified that the exploit was not due to engineering flaws on Tesla’s end.