What could the Keen team do? Well, the big one is the claim that they were able to manipulate the Model S's brakes from 12 miles away, but Tesla disputes that ability. Keen also said they could take over the car's info screens, including the massive central touch screen, rendering them useless, and move the seats and turn on the wipers. Samuel Lv, director of the Keen Security Lab, says in the video above (where you can see all these hacks in action) that finding these holes took the team many months and, most importantly, they say they didn't need to physically change the Model S they were able to control remotely.
A Tesla spokesperson sent the following statement to AutoblogGreen:
Whatever the original hole was, Tesla's 10-day response time should give owners a bit of relief. After all, you can let someone else brake for you for a week-and-a-half, right?
Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.
We engage with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today's demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research.