Connected cars can be hacked, research finds
Northeastern researchers have uncovered security vulnerabilities in Tesla’s Model 3 and Cybertruck, demonstrating that hackers could intercept the vehicles’ wireless connectivity stack.
Hackers could exploit wireless systems in Tesla’s Model 3 and Cybertruck to track vehicles, disrupt communications and interfere with network performance, according to research from Northeastern University.
The research highlights the broader security risks facing all modern connected cars, which have increasingly become “computers on wheels.”
They feature cellular and Wi-Fi modems for continuous connectivity, GPS for navigation, Bluetooth antennas for connecting your phone, and a host of “vehicle-to-everything” (V2X) technologies to support safety features.
And just like a smartphone or nearly any internet-connected device, these vehicles are susceptible to attacks.
Yet unlike smartphones, which allow users to download apps to track rogue activity or disable networks manually, many cars on the road today “maintain persistent” connectivity “to support remote diagnostics, OTA updates and application communications,” according to the researchers.
“The most important takeaway for someone buying a car is understanding that modern vehicles are always-on networked devices that you cannot control or monitor,” said Aanjhan Ranganathan, a Northeastern professor in the Khoury College of Computer Science.
He conducted the study on the Tesla vehicles’ Fourth Generation Long Term Evolution, or 4G LTE, connectivity in collaboration with Evangelos Bitsikas and Jason Veara, cybersecurity and privacy doctoral students at Northeastern.
One major way hackers can infiltrate the Tesla vehicles is through a process known as IMSI Catching, the researchers uncovered.
IMSI stands for International Mobile Subscriber Identity. Every subscriber connected to a network is given a unique IMSI number used to identify and authenticate them on that network.
While IMSI numbers often can’t be seen while connected online — Temporary Mobile Subscriber Identities are used in their place — there are instances when they could be caught by hackers. This could include when devices are first brought online or need to reattach to a network, the researchers write.
Hackers can use “IMSI catchers,” devices that mimic cell towers, to connect to a vehicle and track its location, said Bitsikas.
“Any system that uses a cellular modem can be placed in situations where a nearby ‘fake tower’ can influence how it connects, especially if the attacker is physically close,” said Bitsikas.
Hackers can also use fake cellular towers to control a vehicle’s connectivity, prevent a car from connecting to the internet at all, intercept data traffic, and force a vehicle into “less secure” modes of operation.
Editor’s Picks
“Importantly, this doesn’t automatically mean ‘remote control of the car,’ but it can impact communications and privacy (e.g., backend communication with Tesla servers),” said Bitsikas.
The researchers additionally found vulnerabilities with the vehicles’ SMS and emergency services systems, discovering that hackers could use those systems to spam messages, issue fake alerts and cause denial of service attacks.
“The risk is less ‘someone hacks the whole car via one text,’ and more that message channels can be abused, spoofed or used for nuisance/engineering attacks depending on how the receiving system is designed,” said Bitsikas.
To be clear, Tesla isn’t the only connected car manufacturer susceptible to these types of attacks. Their vulnerabilities stem from issues with their cellular modems, which are largely composed of components from technology companies Qualcomm and Quectel.
The biggest reason the researcher chose to investigate Tesla was that its backend was easier for them to perform diagnostics and experiments on compared to other carmakers. But most modern cars also rely on those companies for cellular and wireless technologies.
“Therefore, the problem is pretty much applicable to all modern connected cars,” said Ranagathan.
Research in the security of connected cars remains limited, the researchers highlight, and there are several reasons why.
For one, getting access to vehicles for experimental purposes can be difficult and expensive, and once in possession of a vehicle, researchers often need to equip it with expensive pieces of testing equipment.
Additionally, there are a range of safety, technical and ethical challenges that researchers have to consider, including minimizing harm when conducting experiments on and off the road.
For this research, Consumer Reports, the nonprofit media organization, loaned both the Model 3 and Cybertruck to the researchers, who are collaborating with the university on a series of research projects related to connected cars. The researchers tested the 2024 models of the vehicles.
The researchers disclosed their findings to Tesla, which they said “acknowledged that many of the identified weaknesses stem from the cellular modem stack (apart from the vehicle’s software) supplied by third parties, specifically Qualcomm and Quectel,” the researchers wrote.
Northeastern Global News also reached out to Tesla, but has yet to receive any comment from the company.
In terms of mitigation strategies, the researchers offer many, including encouraging automakers to continue to upgrade to 5G cellular networking technologies that have “stronger identity protection mechanisms” compared to LTE, eliminating insecure 2G and 3G fallbacks entirely, and updating all systems to align with the cybersecurity standards set by the United Nations and the International Organization of Standards.
These suggestions will have to be implemented by the carmakers themselves.
For consumers, it’s important for them to recognize the potential security risk that comes with driving a modern car on the road, researchers said.
“When you buy a connected car, you’re accepting a cellular connection that you cannot turn off or disable or switch to a preferred network,” said Ranganathan. “Many features are delivered through this cellular connection and, therefore, when a problem occurs, it’s hard to simply ‘turn off and turn on’ the connections.”
