SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
25 Nov 2016

Tesla Model S hack uses Android app exploit to steal car without the key

A team of computer hackers have demonstrated how the Tesla Model S can be located, unlocked and driven away without the key.

By compromising the car's companion smartphone application, they used a laptop to remotely unlock the doors, start the electric car and 'steal' it from a colleague. The hack exposes the internet weaknesses of products which can be accessed via apps and the internet.

The Tesla app is commonly used by owners to check the battery level and charging status, see the location of their car, as well as set the climate control before getting in, and flash the lights to help find the car in a car park. But in this demonstration the hackers, from security firm Promon, are shown using the car and app's shared internet access to track it down and steal it, all without an alarm going off and without the owner being aware.

They would likely only notice when returning to find the car gone, or when checking the car's location on the app. Available for iOS and Android, the app taken advantage of here is for the latter. To steal the Tesla, the hackers first have to convince the owner to download a malicious app onto their phone. In Promon's example, this is done by creating a free and open Wi-Fi hotspot close to a Tesla charging station, which offers a free burger to Tesla owners who download a special app. The incentive here could be anything, but the logic behind it remains the same; the target must download the malicious app to give the hackers access to their phone, and then their Tesla app password.

Don't be fooled by a free burger

Naturally, two flags here should already have been raised for most users. One when connecting to an unknown Wi-Fi network, and another when asked to download an unfamiliar application. It is good generally good practice to do neither of these - especially not for a free burger.

At this point the target knows nothing about the free burger app's true intentions, but now the hackers have access to the Tesla app, they can track the car. Once parked up for the night, they can track down the car, instruct it to unlock (a feature of the app), then enable 'keyless driving' mode. Created by Tesla, this feature lets Tesla owners remotely unlock and start their cars by entering a password; this can come in handy when asking a neighbour to move the car to a different parking space while you are on holiday, for example.

Tom Lysemose Hansen, founder and chief technology officer of Promon, said: "Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car."

The hack isn't a demonstration of a vulnerability unique to Tesla, but more an example of how internet- and app-connected devices (and their victims) can fall for such attacks. Hansen added: "Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue. "Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory any app without the necessary protection in place could be affected."

The security researcher says, in moving away from keys and fobs to smartphone apps, car makers must employ the same levels of security as banks. "We strongly believe that Tesla and the car industry needs to provide a comparable level of security [to banks], which is certainly not the case today," Hansen said. In response to the hack, a Tesla spokesperson told: "The report does not demonstrate any Tesla-specific vulnerabilities. This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure.

"The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system." Earlier Tesla hackers took remote control of door locks, lights and brakes.

Tags:
iOS Android information leaks hackers
Source:
IBTimes UK
1804
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015