And while cars with autonomous features have additional tech to protect against spoofing, they cautioned that other studies raised the specter of attacks on other systems, such as ultrasonic sensors, millimeter-wave radar, lidar (light detection and ranging), and wheel speed sensors.

“The threat of GPS spoofing increases as the level of automation goes up”

“These new semi-autonomous features offered on new cars places drivers at risk, and provides us with a dangerous glimpse of our future as passengers in driverless cars,” said Roi Mit, chief marketing officer of Regulus Cyber.

Curtis Kexiong Zeng, one of the authors of the 2018 study, said in an interview that successfully spoofing a Tesla Autopilot system depends on what kinds of maneuvers the car can make based on GPS location and without driver participation or permission.

“Generally speaking,” he said, “the threat of GPS spoofing increases as the level of automation goes up.”

So what about this test by Regulus Cyber? “This is entrepreneurial hacking,” said Colin Bird-Martinez, senior analyst in connected car software at IHS Markit. The Regulus attack is both time and labor intensive, he said, and relied on someone placing an antenna on the car itself, something any reasonably alert motorist would likely notice.

And the impact was extremely limited, he said—the Model 3 didn’t crash; it just braked and took a different road. “You can hack anything if you put the effort into it,” Bird-Martinez said. But in this case, he said he’s not all that worried.

Another reason spoofing is unlikely to succeed is Tesla’s onboard computer. It uses GPS, radar, maps and cameras to funnel data into a central processing unit, where a final driving decision is made in a process known as sensor fusion. Tesla vehicles don’t use GPS or maps to control the steering of the car, and also learn when to disregard faulty information.

You’ve likely seen the process yourself, if you’ve ever used GPS in a city. Your little blue dot will wander off a street and into the middle of an office building. The computer, knowing you’re likely not driving through a building, realizes the signal is incorrectly placed and uses other data (from cell towers or other known waypoints) to place you back on the road.

In fact, researchers concluded that any patch for a spoofing risk will likely involve those other sensors.