A team of researchers from Keen Security Lab has demonstrated being able to hijack a Tesla car once the vehicle is connected to malicious Wi-Fi and uses the car's web browser.
In a blog post, Keen said its attack vector impacted multiple models of Tesla.
"We have discovered multiple security vulnerabilities and successfully implemented remote ... control on Tesla Model S in both Parking and Driving Mode. It is worth to note that we used an unmodified car with latest firmware to demonstrate the attack," Keen said.
"As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars."
In a YouTube clip, the Keen team demonstrates how they can remotely apply the brakes, unlock the car, manipulate its seats, mirrors, and indicators, and take over the car's web browser.
A Tesla spokesperson said the company has already deployed a software update, and the team would be rewarded under its bug bounty program.
"The issue demonstrated is only triggered when the web browser is used (web browser functionality not enabled in Australia)," the spokesperson said in a statement. "Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly."
Keen said on Twitter it would release details of its attack once the fix was pushed to Tesla owners.
As cars become increasingly connected, they also become vulnerable to more ways of being attacked.
In response to this, Volkswagen last week partnered with three Israeli security experts to form a new company called Cymotive.
"We are aware of the significant technological challenges that will face us in the next years in dealing with the cyber security threats facing the connected car and the development of the autonomous car," said Yuval Diskin, the former head of the Israeli Security Services and Cymotive chairman.