The Hacker News — Cyber Security, Hacking, Technology News

New technology is always a little scary, so are Smart Cars. From GPS system and satellite radio to wireless locks, steering, brakes, and accelerator, today vehicles are more connected to networks than ever, and so they are more hackable than ever.

It's not new for security researchers to hack connected cars. Previously they had demonstrated how to hijack a car remotely, and how to disable car's crucial functions like airbags by exploiting security bugs affecting significant automobiles.

Now this time, researchers at Norway-based security firm Promon have demonstrated how easy it is for hackers to steal Tesla cars through the company's official Android application that many car owners use to interact with their vehicle.

Two months ago, Chinese security researchers from Keen Lab managed to hack a Tesla Model S, which allowed them to control a car in both Parking and Driving Mode from 12 miles away.

However, Promon researchers have taken an entirely different approach.

Tesla Stores OAuth Token in Plaintext

The researchers infected a Tesla owner's phone with Android malware by compromising the Tesla's smartphone app, allowing them to locate, unlock and drive away with a Tesla Model S.

However, Tesla has clarified that the vulnerabilities used in the latest attack do not reside in its app, rather the attack employed known social engineering techniques that trick people into installing malware on their Android devices, which compromise their entire phone and all apps, including Tesla app.

In a blog post, Promon researchers explained that Tesla app generates an OAuth token when a Tesla owner log in to the Android app for the first time. The app then uses this token, without requiring the username and password every time the owner re-opens the app.

This OAuth token is then stored in plain text into the device’s system folder which can be accessed by privileged root user only.

Researchers Demonstrates How to Steal a Tesla Car:

According to researchers, it is easy for an attacker to develop a malicious app that contains Android rooting exploits such as Towelroot and Kingroot, which can then be used to escalate the malicious app's privileges, allowing attackers to read OAuth token from the Tesla app.

Stealing this token could enable an attacker to locate the car and open its doors, but could not help the attacker start and drive away with the owner's car.

For this, the malware needs to delete the OAuth token from the owner's phone, which prompts the owner to enter his/her username and password again, allowing the attacker to collect the owner's login credentials.

Researchers say this can be done by modifying the original Tesla app's source code. Since the malware has already rooted the owner's smartphone, it can alter the Tesla app and send a copy of the victim's username and password to the attacker.
With this data, the attacker can perform a series of actions, like locating the car on the road, open its doors, start the car's motor and drive the car away unhindered, just by sending well-crafted HTTP requests to the Tesla servers with the owner's OAuth token and password.

Tesla says it is not the issue with its product but common social engineering tricks used by attackers to first compromise victim's phone, rooting the device and then altering its apps data.

The researchers' attack is only possible when an attacker convinces a victim into downloading a malicious app on his/her Android device.

Next time when you find yourself hooked up behind the wheel, make sure your car is actually in your control.

Hackers can remotely hijack your car and even control its brakes from 12 miles away.

Car hacking is a hot topic.

Today many automobiles companies have been offering vehicles with the majority of functions electronically controlled, from instrument cluster to steering, brakes, and accelerator.

These auto-control electronic systems not only improve your driving experience but at the same time also increase the risk of getting hacked.

The most recent car hacking has been performed on Tesla Model S by a team of security researchers from Keen Security Lab, demonstrating how they were able to hijack the Tesla car by exploiting multiple flaws in the latest models running the most recent software.

The team said the hacks worked on multiple models of Tesla and believed they would work across all marques.

"We have discovered multiple security vulnerabilities and successfully implemented remote, aka none physical contact, control on Tesla Model S in both Parking and Driving Mode," Keen writes in a blog post. "We used an unmodified car with the latest firmware to demonstrate the attack."

"As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars."

In a YouTube video, the team of Chinese researchers Sen Nie, Ling Liu, and Wen Lu, along with director Samuel Lv, demonstrated how it could remotely take control of a Tesla’s brakes and apply the brakes from 12 miles away by compromising the CAN bus that controls many vehicle systems in the car.


The researchers were also able to remotely unlock the door of the car, take over control of the dashboard computer screen, open the boot, move the seats and activate the indicators and windscreen wipers, as well as fold in the wing mirrors while the vehicle was in motion.

The hack requires the car to be connected to a malicious WiFi hotspot and is only triggered when the car's web browser is used.

The team demonstrated the hacks against a Tesla Model S P85 and Model 75D and said its attacks would work on multiple Tesla models. It was able to compromise the Tesla cars in both parking and driving modes at slow speed in a car park.

Also Read: Thieves Can Unlock 100 Million Volkswagens Cars With A Simple Wireless Hack

Tesla Releases Firmware v7.1 (2.36.31) To Patch It

"Within just 10 days of receiving this report, Tesla has already deployed an over-the-air software update (v7.1, 2.36.31) that addresses the potential security issues. The issue demonstrated is only triggered when the web browser is used, and also required the car to be physically near to and connected to a malicious Wi-Fi hotspot. Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly." 

"We engaged with the security research community to test the security of our products so that we can fix potential vulnerabilities before they result in issues for our customers. We commend the research team behind today’s demonstration and plan to reward them under our bug bounty program, which was set up to encourage this type of research."

Thankfully, the vulnerabilities were privately disclosed to Tesla and the company addressed the issues worldwide with an over-the-air software update.

The Keen team said it is Tesla’s "proactive attitude" towards its vulnerability report that made the fix available to its customers within ten days when other automakers required much time and more complex procedures to update vehicles following the major bug exposures.

The team has planned to release details of its hacks in coming days, Keen said on Twitter.