Regulus Cyber recently revealed in their research that Tesla Model S and Model 3 electric cars which are known for their speed and safety are prone to cyberattacks aimed at their navigation systems.
Regulus Cyber is the first company dealing with smart-sensor security across a wide range of applications including automotive, mobile, and critical infrastructure. The vulnerability of Tesla was revealed during a test drive using Tesla’s Navigate on Autopilot feature when a staged attack not only caused the car to slow down but the car also veered off the main road. Moreover, the concerned cyber firm also discovered the spoofing attacks on the Tesla GNSS receiver can easily be carried out wirelessly and remotely, exploiting security vulnerabilities in mission-critical telematics, sensor fusion, and navigation capabilities.
The Navigate on Autopilot feature was initially intended for making the route to a destination easier by suggesting and making lane changes and taking interchange exits under the driver supervision. According to Tesla, both the models initially requires the drivers to confirm the lane changes using the turn signals before the car moved into an adjacent lane, however, the current versions of Navigate on Autopilot allow drivers to waive the confirmation requirement if they choose, which means the car can activate the turn signal and start turning on its own. Tesla emphasized that “in both of these scenarios until truly driverless cars are validated and approved by regulators, drivers are responsible for and must remain ready to take manual control of their car at all times.”
However, the attack staged by Regulus Cyber to reveal the reaction of Model S and Model 3 began by testing the car driving normally and activating the autopilot navigation feature, maintaining a constant speed and position in the middle of the lane. When the spoofing attack happened, the car was three miles away from the planned exit. The car suddenly slowed down from 500 meters away from the exit and activated the right turn signal and made the sharp turn off the main road. The driver instantly took the charge yet he was not able to stop the car from leaving the road.
Another fact revealed during the test amplified the threat. This threat indicated that the height of the car changed unexpectedly while moving because the suspension system “thought” it was driving through various locations during the test, either on smooth roadways, when the car was lowered for greater aerodynamics, or “off-road” streets, which would activate the car elevating its undercarriage to avoid any obstacles on the road.
The CTO and co-founder of Regulus Cyber, Yoav Zangvil, declared GNSS spoofing as a threat to ADAS and autonomous vehicles: “Until now, awareness of cybersecurity issues with GNSS and sensors has been limited in the automotive industry. But as dependence on GNSS is on the rise, there’s a real need to bridge the gap between its tremendous inherent benefits and its potential hazards. It’s crucial today for the automotive industry to adopt a proactive approach towards cybersecurity.”