Researcher disclosed numerous security issues with Tesla S SmartCAR

Pierluigi Paganini April 02, 2014

A security researcher reported to Tesla company a series of security issues related with S model that could be exploited to locate and unlock the vehicles.

Hackers are able to remotely locate or unlock the Tesla Motors electric vehicles, the news is curious but it isn’t a novelty. Car hacking was largely discussed in the last months, we read about the research conducted by Charlie Miller and and Chris Valasek on the topic, and we were surprised by the news that using a cheap tiny device, dubbed CAN Hacking Tool (CHT), it was possible to control some feature of the vehicle. Both studies are focused on the possibility to interact with any component in the car via CAN BUS, injecting malicious code or conducting a DOS attack. The the attack surface for any Smart Car is increasing due the presence of different networked devices and the implementation of different communication protocols like Bluetooth and WiFi. 

A new research demonstrated that is possible to hack a Tesla Smart car simply cracking a six-character password. Last week at the Black Hat Asia security conference in Singapore the researcher Nitesh Dhanjanipresented a study conducted on his own Tesla Model S Sedan describing a series of security vulnerabilities in the security system adopted to protect the vehicle.

The Model S of Tesla Motors allows drivers to use the vehicle in the presence of a key fob, anyway the car can be unlocked through a command transmitted via wireless over the Internet, the principal problem is that the command could be easily hijacked by the cybercriminals to crack or steal the password with traditional hacking techniques.

Be aware, the password only allows car location and unlock, anyway it is considerable as a dangerous issue because thieves could steal anything Tesla owners have left in their vehicles.

We cannot be protecting our cars in the way we protected our (computer) workstations, and failed,” he said during a presentation.

Every new Tesla owner must complete a registration procedure on the web, signing up an account protected by a secret code composed of six characters, unfortunately the same code is used to unlock the mobile phone app to gain access to online Tesla account (http://www.teslamotors.com).

tesla account registration

tesla smart car app

The first thing that the researcher noted is that an attacker can try all possible combinations of the 6 characters composing the password, the app doesn’t implement any restriction on the number of attempts making easy a brute-force attack.

The password is vulnerable to several kinds of attacks similar to those used to gain access to a computer or online account,”  “It’s a big issue where a $100,000 car should be relying on a six-character static password,” said Dhanjani.

Dhanjani also highlighted that an attacker can impersonate Tesla support staff to unlock cars remotely, he could also conduct a spear phishing attack to have access to victim’s credentials after the installation of a data stealer malware on the victims PC used to access the Tesla website.
“Once credentials are gathered, phishers can easily check the location of the cars for the accounts they have compromised by using the Tesla REST API [http://docs.timdorr.apiary.io ](destination https://portal.vn.teslamotors.com/) by following these steps:
  1. Login by submitting to /login and setting the user_session[email] and user_session[password]          parameters.
  2. Use the session token from A. to obtain the vehicle list by submitting a GET request to /vehicles.
  3.  User the vehicle id obtained in B. to query the location of the vehicle by submitting a GET request to /vehicles/{id}/command/drive_state. This will return the location in the form of latitude and longitude.

Once the phisher has obtained the location of the vehicles mapped to the compromised accounts he or she can unlock a particular vehicle or a set of vehicles (buy invoking the following in a loop): GET request to /vehicles/{id}/command/door_unlock.” is the procedure described by the researcher.

Dhanjani also highlighted other serious risks for owners of Tesla cars, they in fact could be victims of malware-based attacks or the attackers could exploit the wrong habit of owners to reuse the same password for different web services, in this last scenario a data breach on a third-party website could reveal the credentials used by Tesla customers to protect their vehicle.
The security expert has reported the results of its study to Tesla, Tesla spokesman Patrick Jones declined to provide any comment to the hack.

We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process,” replied Jones via email.

The security issues presented by Dhanjani are very serious, we must consider that similar problems could affect a wide range of devices responding to the paradigm of Internet of Things and could have repercussion on a large scale.

Sincerely, I don’t think it is the case of Tesla company, but it’s time to start to consider security by design, no matter if you are designing a fridge, a SmartTV or a car.

Pierluigi Paganini

(Security Affairs –  car hacking, Tesla)



you might also like

leave a comment