Hacking a Tesla Model X with a DJI Mavic 2 drone equipped with a WIFI dongle

May 2, 2021  By Pierluigi Paganini


A security duo has demonstrated how to hack a Tesla Model X’s and open the doors using a DJI Mavic 2 drone equipped with a WIFI dongle.

The scenario is disconcerting, hackers could use a drone to fly on your Tesla Model X and open the doors, a couple of researchers demonstrated.

The researchers Kunnamon, Inc.’s Ralf-Philipp Weinmann and Comsecuris GmbH’s Benedikt Schmotzle have discovered remote zero-click flaws in the vehicle and exploited them using a DJI Mavic 2 drone equipped with a WIFI dongle.

The vulnerabilities reside in the ConnMan open-source software component used in Tesla cars, the experts explained that they have exploited them to “compromise parked cars and control their infotainment systems over WiFi.”

The duo called the hack TBONE and presented it at the CanSecWest 2021 Conference, below the video of the presentation:

Weinmann and Schmotzle explained that the ConnMan is also widely used in infotainment systems of other carmakers, for this reason they engaged German CERT and other actors of the automotive industry. A new version of ConnMan (v1.39) has been released in February 2021.

“Looking at the fact TBONE required no user interaction, and ease of delivery of the payload to parked cars, we felt this attack was ‘wormable’ and could have been weaponized”, says Kunnamon CEO Ralf-Philipp Weinmann. “Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however.”

The duo was planning to present the attack at the PWN2OWN 2020 hacking contest, but since it was moved online due to the COVID19 pandemic they opted to privately report the issues to the carmaker.

Going into details the vulnerabilities could be exploited by remote attackers to compromise parked cars gain control of the infotainment system over WIFI, then it is possible to lock/unlock the trunk and doors, modify seat positions and steering/acceleration modes, and change air conditioning settings and temperature.

“It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes – in short, pretty much what a driver pressing various buttons on the console can do. This attack does not yield drive control of the car though.” reads the post publishe by the experts.

The good news is that the vulnerabilities cannot be exploited by attackers to take remote control of the vehicle.

“We emulated Tesla’s ConnMan entirely in our own emulator – KunnaEmu. KunnaEmu’s emulation is accurate enough to allow for the exploit to be successful as-is on actual Tesla hardware.”, concluded Dr. Weinmann. “Automotive manufacturers can scale up their software testing and remediation pipelines by orders of magnitude by using KunnaEmu. Our mission at Kunnamon is to bring the power of cloud computing and emulation for testing embedded automotive systems, at scale.”

Tesla is yet to provide a comment on the researchers’ findings.

It is not the first time that hackers demonstrated the hack of a Tesla, in November 2020, a team of researchers from the Computer Security and Industrial Cryptography (COSIC) group at the KU Leuven University in Belgium demonstrated how to steal a Tesla Model X in minutes by exploiting vulnerabilities in the car’s keyless entry system.

In July 2019, the security researcher Sam Curry has earned $10,000 from Tesla after reporting a stored cross-site scripting (XSS) flaw that could have been exploited to obtain vehicle information and potentially modify it.

In March 2019, during the Pwn2Own 2019 hacking competition, the security experts Amat Cama and Richard Zhu of team Fluoroacetate, earned $35,000 for their exploit, along with the Tesla they hacked. The white hat hackers managed to display a message on the car’s web browser by exploiting a just-in-time (JIT) issue in the renderer component.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tesla)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Cloud hosting provider Swiss Cloud suffered a ransomware attack

 Swiss cloud hosting provider Swiss Cloud has suffered a ransomware attack that seriously impacted its server infrastructure. On...