Chinese researchers from Keen Security Lab of Tencent announced that they could chain multiple vulnerabilities together, which allowed them to remotely hack the Tesla Model S P85 and 75D from as far as 12 miles away.

The researchers said:

As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.

The researchers released video proof of remotely hacking the Tesla vehicles while they were parked and while they were being driven. The attacks were carried out on unmodified Tesla cars that had the latest firmware version.

If you have eight minutes to spare, I highly recommend you watch it.

As the researchers stated, the remote hacks likely work on all Tesla models, but on the parked Model S P85, the researchers remotely opened the sunroof, turned on the turn signal, and changed the position of the driver’s seat.

But then Samuel Lv, director of Keen Security Lab, brought in a “brand-new Tesla Model S 75D” to see what the hackers could do.

For starters, the researchers locked the touchscreen controls to show a message proving the Tesla was pwned by Keen Security. Then they removed the keys from the parked 75D from the immediate area and instead used a laptop to remotely unlock the door.

Then the researchers remotely hacked the car while it was being driven. While the Tesla was moving, the researchers controlled the windshield wipers, popped open the trunk and changed the position of the side view mirrors. This was done by researcher Sen Nie with a laptop via the passenger seat.

To prove the brakes could be remotely controlled, the researchers had a colleague in an office about 12 miles away hit the brakes while the Tesla was being driven.

Tesla has closed the security holes, and the researchers urged Tesla owners to update to the latest firmware immediately to “avoid potential driving safety risks.”

Tesla has released the following statement: