Researchers exploit app flaw and steal a Tesla Model S

Lack of security in a Tesla smartphone app allowed researchers to take control of the vehicle. Androids using version 5.1 (Lollipop) and older are vulnerable to such an attack.

In September, Chinese researchers from Keen Security Lab showed how a Tesla Model S could be remotely hacked while it was being driven. The hack demonstrated by Promon, a Norwegian security company, provided “additional functionality” for cyber thugs to control the vehicle, including enabling “keyless driving functionality,” which could allow a crook to drive away with a Tesla without have a key fob present.

“Because of lack of security in the Tesla smartphone app,” Promon wrote, “cyber criminals could take control of the company’s vehicles, to the point where they can track and locate the car in real time, and unlock and drive the car away unhindered.”

Steps to pull this off include social engineering a person to install a malware-tainted app, such as while the person is using free public Wi-Fi. Promon targeted a Tesla Model S owner with an app that would allow the owner to cash in on a free burger at a nearby restaurant. The malware allows a privilege escalation attack; the malicious app gains root permissions.

When the owner later signed into his Tesla app, the malware allowed the hacker to capture the owner’s username and password. The Promon hacker then tracked the Tesla to where it was parked, unlocked the doors, enabled keyless driving and drove off in the stolen Tesla.

In a follow-up post, Promon made it clear, “This attack is not Tesla specific and can in generalized form be used against any app.” However, the firm claimed the Tesla app stored the OAuth token in plain text instead of encrypting it, which made it easier to exploit.

All Androids still using version 5.1 (Lollipop) and older are vulnerable to such an attack. In this case, the malware-tainted app opened the way for a local privilege escalation attack. Android 6.0 Marshmallow, released in October 2015, and the newest Android 7.0 Nougat are not vulnerable. Perhaps if you can afford a Tesla, then you can also afford not to let your phone get over two years old.

The point, however, is that even if you don’t have a Tesla but use an outdated version of Android, your phone or tablet is vulnerable to this flaw. If you take a look at the most recent count of platform versions released by Android Developer, it’s clear that most Androids are not running the two newest versions. Only .3 percent of Androids run the newest Nougat, and 24 percent run Marshmallow.

Put another way, most Androids are vulnerable to such an attack.

Nov 7 2016 Android platform distributions Android Developer

You wouldn’t toss out a two-year-old computer if it is running an older operating system; you’d update it. It’s too bad wireless carriers won’t do the same thing for phones. Not all older phones could handle a newer Android version, but many could. Yet we can’t get carriers to even deploy security patches in a timely fashion to protect users from known flaws. If carriers were to update phones capable of handling newer platforms, it might hurt their precious bottom line if we don’t run out and buy a new phone at least every two years. Yes, rooting a phone is an option to install newer Android platforms, but that also exposes users to vulnerabilities.

Getting back to the Telsa hack that could allow the cars to be stolen, Promon and Telsa are reportedly talking so the flaw in the Tesla app can be fixed. Promon said Tesla should have “followed best practice in security (e.g. as recommended by the Open Web Application Security Project), including applying self-protecting capabilities inside the app, it would have required much higher technical skills—and much more effort—to perform such an attack.”

Tesla claimed it “has never received a report of any car being stolen through a compromised app.” The company also released the following statement:

The report and video do not demonstrate any Tesla-specific vulnerabilities. This demonstration shows what most people intuitively know—if a phone is hacked, the applications on that phone may no longer be secure. The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)