Tesla cars can be tracked, located, unlocked and driven away by compromising the company’s smartphone app.
Researchers at Norwegian app security firm Promon demonstrated how easy it appears to be to steal a Tesla. Benjamin Adolphi, mobile software developer at Promon, said he used “simple, known vulnerabilities” that have been around for a long time. He created a fake free Wi-Fi hotspot that featured an ad targeted at Tesla owners, offering them a free burger at a local restaurant.
Owners were then prompted to download an application in order to take advantage of the offer; however the app contained malware that “manipulated” the Tesla app to grab the owner’s username and password.
In the demonstration, Adolphi was then seen to track the Tesla vehicle, unlock it, start the engine and drive away, all from his laptop. The Tesla application, which the researchers had compromised, can be used to monitor location and range of the car as well as set the climate remotely.
Lars Lunde Birkeland, marketing director at Promon, explained that the hack used privilege escalation. An OAuth token is used to authenticate the username and password every time the user starts the app. “The Tesla app is modified where code was added to steal the username and password and sent to an attacker-controlled server. In order to trigger this code, the user needs to log in again. The Tesla app can be tricked into requiring the user to log in by simply removing the stored token,” he said.
In a statement to Infosecurity, Tesla said that the issue uncovered by Promon is to do with underlying mobile application security, rather than their application.
“The report and video do not demonstrate any Tesla-specific vulnerabilities,” the statement said. “This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure."
“The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system,” Tesla’s statement added.
While this may seem like bad news for Tesla owners, the demonstration really reveals that all smartphone users need to be much more aware of what they download. Being prompted to download an application from an unknown source, particularly if the user is connected to free Wi-Fi at the same time should alert the user to a potential cyber-attack.
Users should ensure that their mobile operating system and all applications are kept up to date at all time.
“With mobile phones now an everyday item, the ideal of safe usage can always be compromised by human error. It is impossible to control how every single user goes about using their mobile device, whether you are a car manufacturer, a retailer or a bank,” Birkeland added.