Tesla hack: Thieves prey on high-tech cars, could you be a victim?

Recent revelations have demonstrated that hackers can find ways around modern car security systems, in some cases with worrying ease. Experts agree that, as autonomous technology becomes more widespread, well-equipped thieves could find it increasingly simple to drive away in your car.

The most recent car to exhibit vulnerability to software attacks is the Tesla Model S. A team of skilled computer hackers found a surprisingly simple way to gain access to the car, focusing not on the vehicle itself, but on the Tesla App installed on its owner’s smartphone.This follows examples reported in 2015, where both Tesla and Jeep cars demonstrated on-board security weaknesses – now resolved – that could be exploited by expert hackers.

The Tesla hack: What happened?

The most recent hack focused on a the official Tesla smartphone app that owners can use to remotely access details about their car and change its settings. These can include information on its present battery charge status and adjusting the climate control. It can also help owners find their car in a car park and flash the lights by remote control. This latter feature, it transpires, could make life even easier for determined criminals.

How did the hack work?

In the case of this particular Tesla trial, the hacker convinced the Tesla’s owner to download software masquerading as a free smartphone app promising special offers at a local hamburger restaurant. Once the Tesla owner downloaded the app, the malware program hidden within it enabled the hacker to access information held on their, phone, including passwords and usernames used by the Tesla App to access the car’s systems.

Using this information and laptop computer, the hacker was able to accurately simulate the Tesla owner’s mobile phone; and as the information the Tesla App contained included the car’s location, it was easy to track the parked Tesla down. With the Tesla not able to distinguish between the hacker’s laptop and the owner’s smartphone, the hacker was able to gain access; change the Tesla’s settings to enable keyless activation and drive the car away without the alarm sounding.

As the owner’s password and username were used in such a way as to appear legitimate, they’d be unaware of the car being taken until returning to find a deserted parking space.What’s concerning is that this is the first time the official Tesla smartphone app has been used as an entry point for hackers. It was a potential weakness of this app when exposed to custom-written malware programmes that made it possible for the owner’s details to fall into the wrong hands.

Previous fears highlighted by computer-security analysts focused on the potential for skilled hackers to gain access to the Tesla Model S’s sophisticated operating system. This could potentially allow them to plant software that would allow the car to be controlled remotely by thieves at a later date.

In a 2015 trial, another team of hackers found a way to connect a laptop computer to a Tesla Model S and start it without the driver's key being present. They also discovered it was possible to upload a trojan virus that allowed the hackers to stop the car remotely. However, as the Model S has a permanently enabled internet connection, Tesla was able to issue a software update for all cars that could have been vulnerable to this malware.

The latest development, however, doesn’t involve any contact with the car at all, concentrating instead on security weaknesses in owners’ smartphones. It’s therefore likely that increased vigilance when downloading smartphone applications will limit the likelihood of owners falling victim to hi-tech car thieves.

Jeep hack: What happened?

It’s not only Tesla whose cars could be targeted by hi-tech thieves. Within the last two years more than 1.4m Jeep, Chrysler and Dodge cars were recalled in the US, after an electronic security flaw emerged that could allow hackers to remotely drive their cars.

In a trial conducted in 2015, American security experts were able to hack into the systems of a Jeep Cherokee driven by a technology journalist. The experts found themselves able to manipulate systems including the air-conditioning, windscreen wipers and GPS – and even took control of the car’s electronically controlled brakes and accelerator.

The technology journalist wrote of the incident: “Immediately, my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl.” After disabling the Jeep’s brakes, the hackers let the vehicle coast into a ditch, with the driver still in it.

How did they do it?

The hackers used the internet to remotely target the Jeep’s uConnect infotainment system. They then used the system as a ‘virtual gateway’ to communicate with control modules that oversee the car’s vital systems. With all the control units in a car ‘speaking’ to each other as members of a network, once communication is established with one component, it’s theoretically possible to control all the others.

With the hack taking advantage of the uConnect system’s live internet connection, in theory it could have been performed on any Jeep Cherokee uConnect that was manufactured between 2013 and 2015, as well as potentially other cars fitted with the same infotainment system. FCA, parent company of the Jeep brand, has recalled a number of Jeep, Dodge, Chrysler and Ram models in the US, including sports cars, SUVs and saloons to perform a software update that reduces the likelihood of this hack working.

Should you be worried?

Tesla owners can be assured that not everyone is at immediate risk and those who are vigilant avoid the worst happening.

The key to the success of the latest hack was the installation of a hidden ‘malware’ programme on the Tesla owner’s smartphone. Unwanted software like this can be stealthily concealed within innocuous-looking apps that you might download, further reinforcing the importance in only ever downloading software from trusted sources.

In most cases, a piece of software will request access rights, too. Be very wary when a new smartphone app requests access to password details – ask yourself why it needs this information and abort installation if you’re in any doubt.

UK Jeep owners can rest reassured that the the infotainment system used as an access point for the security experts to control the car wasn’t available on cars sold outside the US, so this particular method doesn’t affect Jeep Cherokees in Europe. However, it still provides a stark warning that car manufacturers need to bolster the security of their in-car systems, especially when they incorporate live internet links.