Posted on 12/01/2016 10:12:18 PM PST by Swordmaker
By infecting a Tesla owner's phone with Android malware, a car thief can hack and then steal a Tesla car, security researchers have revealed this week.
Previous attempts to hack Tesla cars attacked the vehicle's on-board software itself. This is how Chinese security researchers from Keen Lab have managed to hack a Tesla Model S last month, allowing an attacker to control a car from 12 miles away.
Security experts from Norwegian security firm Promon have taken a different approach, and instead of trying complicated attacks on the car's firmware, they have chosen to go after Tesla's Android app that many car owners use to interact with their vehicle.
By default, when Tesla owners install the Android app, they'll have to enter a username and password, for which the app generates an OAuth token. The app will use this token every time the user re-opens his app, so the user won't have to enter a username and password tens of times per day.
The app doesn't keep this token forever, but deletes it after 90 days, and asks the user for his username and password again.
Promon researchers have discovered that the Tesla app keeps this token in a plaintext file, in the app's "sandbox" folder. An attacker can read this token if he has access to the user's phone.
Researchers say that it's easy for an attacker to create a malicious Android app, that contains rooting exploits such as Towelroot and Kingroot. These exploits can be used to escalate the malicious app's priviliges and read data or alter other apps.
While the token allows an attacker to perform several actions, he can't start a Tesla car. For this he needs the user's password.
Promon researchers say that if the malware deletes the OAuth token from the user's phone, the app will prompt the user to enter his password again, providing the perfect opportunity to collect the user's password.
Researchers say that this is easy and can be done by modifying the original Tesla app's code. Since the attacker has already rooted the user's phone, the attacker can alter the Tesla app and send a copy of the victim's username and password to the attacker.
With this data in hand, the attacker can perform a series of actions, such as using the car's keyless driving functionality and start the engine, open doors, or track the car on the road. Other actions are also theoretically possible, but researchers haven't tested all of them.
All these are perfomed just by sending well-crafted HTTP requests to the Tesla servers with the victim's OAuth token, and password, when necessary.
For all of this to be possible, the main key is that the attacker convinces the victim to install a rogue app on his Android device.
In a video below, the Promon team reveals a simple social engineering trick that fools a user to install a malicious app on his phone by promising the victim a free meal at a local restaurant.
While Tesla is to blame for failing to protect the OAuth token in their app, mobile cariers are also at fault. For the past year, Google has been providing timely security updates for the Android OS, which many carriers have been failing to deliver to their customers.
Promon engineers recommend that the Tesla app provide two-factor authentication, should avoid storing the OAuth token in cleartext, prevent easy access to its source code, and use a custom keyboard layout when entering passwords to fight against mobile keyloggers.Tesla Android app is the hackers' entry point
Android app saves OAuth token in cleartext
Attackers also modify the Tesla app's source code to steal login data
Victims must install a malicious app on their phones first
Ping for your list
Video Demonstration on site of a Tesla being stolen after hacker steals user name and password from malicious Android app loaded on to owners phone.
I have Zer0 desire to have my vehicles to be in any way networked. CAN makes it too late in many ways.
Tesla.
Not the car of whistleblowers.
Neat app. Wholly stupid idea. Doubly so for the Internet of Things. It is amazing, with two decades since the Internet boom, we are still living in the tech Wild Wild West. I am actually amazed more things don’t get p0wned.
Just pull out a key fuse when you park it.
Sometimes an engineer's urge to add more bells and whistles overwhelms the sense God gave an earthworm. . . and they pile on and pile on, regardless of the security of what's being added!
There isn’t a millennial that even knows what a fuse is. Your sir, like me, are old school.
FRegards.
I’m 48 and I just feel the old, no school!
Crazy. Security is an after-thought, bolt-on if there’s time. Until security is the foundation of designs, systems will routinely be compromised. With tragic consequences at this pace.
I used to take a fuel pump relay out on my then new years ago Silverado, i had a known burnt out one, i had a mark on the bad one, swapped them out. Thats fine unless you had another old school car thief that knew tricks like that.
When i was much younger and i had a 56 chevy hotrod i wired the coil wire throught a cigarette lighter i modified, you had to push in the lighter to make it run, and yes it stayed in because i soldered the heat coil, pull it out a bit like a normal looking lighter and no juice to coil.
Course now you get burnt at the stake for even asking if a new car or truck has a real working cigarette lighter and not an aux power port.
There’s no link for that when I load the page.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.