Researchers at Tencent Holdings Ltd.’s Keen Security Lab discovered a critical security hole in Tesla’s Control Area Network (CAN), which allowed them to remotely operate the vehicle’s brakes without ever having to physically interact with it.

Although Tesla Motors quickly patched the flaw, Keen Security Lab’s success raises serious security concerns for the future of self-driving vehicles. In a video, Keen Security Lab demonstrated that its researchers could remotely control a number of components in an unmodified Tesla Model S P85, including the vehicle’s sunroof, turn indicators and power seats. In a Tesla Model S 75D, the team showed that they were also able to unlock the vehicle’s door, disrupt its touchscreen, activate its windshield wipers and even fold its side mirror while turning.

For the most part, the controls Keen Security Lab demonstrated were all annoyances, but the team’s most worrying success was the ability to activate the vehicle’s brakes while in motion.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars,” Keen Security Labs said in a statement. “We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected.

“Keen Security Lab would like to send out this reminder to all Tesla car owners: Please do update the firmware of your Tesla car to the latest version to ensure that the issues are fixed and avoid potential driving safety risks.”

Tesla: “The risk to our customers was very low”

The company noted that it informed Tesla of the exploit as soon as the research team discovered and reproduced it, and Tesla explained in a statement that it had already fixed the flaw less than two weeks after learning of it. Tesla also noted that the hack would have been difficult to pull off in the wild in the first place.

“Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues,” Tesla said in its statement. “The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious wifi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly.”

While the risk may have been low and Tesla did quickly patch the security hole, the fact that it existed in the first place is certainly worrying, especially as the automotive industry becomes increasingly focused on making mass-produced autonomous vehicles a reality.

You can watch a video of Keen Security Lab’s Tesla hack below:

Photo by p_a_h