Internet-connected vehicles bring a world of possibilities for entertainment, convenience, and safety, but they come with risks that many people don’t think about. A few weeks ago, we heard the story of a Tesla owner who was able to unlock and drive away in someone else’s car, but that’s hardly the only security issue with the company’s EVs. Automotive News reported that a French cybersecurity firm recently won a hacking competition with their lightning-quick breach of a new Tesla Model 3.
The team from the French company Synactiv won the competition by accessing the vehicle’s gateway and infotainment subsystems. Impressively, the feat took less than two minutes and involved the group hacking into the car’s head unit. They avoided hacking the car itself due to safety reasons, as they wanted to prevent any unintentional movement with other vehicles and people around.
The Pwn2Own conference gave Synactiv 10 minutes and three attempts to hack the car. They could quickly access the infotainment system and replace the Tesla logo with their own. They hacked the vehicle using its Gateway system, which manages communications between the Model 3 and the Tesla Powerwall, a battery backup system for home use.
In another effort, the team accessed the Tesla through an Ethernet network, and their access allowed them to open the car’s trunk and doors while it was in motion. Combined, the two hacks earned them $350,000 and a new Tesla Model 3.
A Tesla security team was on site and confirmed the hack. The automaker said it would issue a patch for the vulnerability via the cars’ over-the-air update function. This isn’t the first time a Tesla has been backed in a controlled environment. Last year, a researcher unlocked and started a Model S and Model Y. That hack involved redirecting signals between the mobile app, key fob, and car.
It’s easy to poke fun at Tesla, but the company is far from the only one with security flaws. Hackers have breached Volkswagens, Jeeps, and others. Toyota’s supplier portal caused it problems, and some third-party services and apps also pose risks. Researchers found that a popular remote start service created vulnerabilities in a range of car makes and could unlock, start, and locate vehicles without physical access.