A group of security experts from security firm Promon has demonstrated how to exploit the Tesla app (for both Android and iOS) to locate, unlock and steal a Tesla Model S. The hackers used a laptop to remotely control the vehicle as demonstrated in the following video PoC.
“Our researchers have demonstrated that because of lack of security in the Tesla smartphone app, cyber criminals could take control of the company’s vehicles, to the point where they can track and locate the car in real-time, and unlock and drive the car away unhindered.” reada a blog post published by the Promon firm.
The Tesla app implements numerous functionalities, it allows to check the battery level, locate the car, set the climate control and flash the lights.
The app performs the operations by sending an HTTP request to the Tesla server, these requests leverage an OAuth token for the authentication. The token is obtained by the users once he completed the authentication through username and password.
The experts noticed that the first time the user logs into the Tesla app, the mobile device receives a token that is stored in cleartext in a file in the app’s sandbox folder. Every time the app is restarted, the token is read and used for subsequent requests.
Attackers can steal it to impersonate the victim and access to the vehicle.
“In our tests, this token was valid for 90 days, meaning that the user has to re-enter his username and password once in a while. Stealing this token enables an attacker to locate the car and open its doors. In order to enable keyless driving, the password is required as well. Because of that, the hack focused on obtaining the username and password.” continues the analysis.
There are several methods to steal the login credentials, the hackers in their test used a modified Tesla app that includes the code to steal the username and password and send to an attacker.
In order to replace the Tesla app and manipulate the token, the attackers used a privilege escalation attack.
When the Tesla car owner connects to the bogus Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners.
“In this example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed.” states the experts.
Once the Tesla owner has installed and started the malicious app, it will then gain root permissions and replace the legitimate Tesla app. When the user starts the app the next time, he will be prompted to provide his login credentials that the Tesla app will send back to the attacker.
The attackers have to trick the Tesla owner into installing this malicious app, for example through a phishing attack.
In a first step, the hackers have to convince the owner to download a malicious app onto their Smartphone. The hackers set up a free and open Wi-Fi hotspot in a proximity of a Tesla charging station, which offers a free burger to Tesla owners who download a special app. Of course, the attackers could use various incentives to trick users into downloading the malicious app.
“At this point the target knows nothing about the free burger app’s true intentions, but now the hackers have access to the Tesla app, they can track the car. Once parked up for the night, they can track down the car, instruct it to unlock (a feature of the app), then enable ‘keyless driving’ mode. Created by Tesla, this feature lets Tesla owners remotely unlock and start their cars by entering a password; this can come in handy when asking a neighbour to move the car to a different parking space while you are on holiday, for example.”
It is important to highlight that the hack isn’t a related to a flaw in Tesla car, a Tesla spokesperson told IBTimes UK that the report does not demonstrate any Tesla-specific vulnerabilities.
“Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue.” said Tom Lysemose Hansen, founder and chief technology officer of Promon.
“Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory any app without the necessary protection in place could be affected.”
(Security Affairs – Tesla car, hacking)