Your Tesla car can be hacked by Android Malware
Researchers from Norwegian security company Promon recently hacked into a Tesla car by rooting some malware into a driver’s Tesla Android app. By obtaining the person’s Tesla app login username and password, hackers could almost fully control the car and even drive it away.
Suppose your new Tesla car was somehow remotely controlled by hackers hiding miles away -- they could start your car's engine, open its doors, or even monitor its driving path on road. That is something to worry about for sure.
Researchers from the Norwegian security company Promon recently hacked into a Tesla car by rooting some malware into a driver's Tesla Android app. By obtaining the person's Tesla app login username and password, hackers could almost fully control the car and even drive it away.
"The security of the internet connected services that we have in our daily lives heavily depends on the app we use to access, monitor and control the devices." Lars Lunde Biirkeland, Marketing Director of Promon said in the videotaped hack test trial.
The researcher created a free wifi hot-spot that's been put on an advertisement at a Tesla charging station. When someone logs into the free wifi, it will pop up an advertisement that says you could get a free burger by installing a restaurant app. When the driver installs the app it roots the malware into the driver's Tesla android app and steals his username and password data. Then the hacker can enable Tesla's keyless driving functionality, and operate a series of actions on the car.
"The methods we use for this are really simple, and have been known for years..and it's also been used by cybercriminals for a long time." Benjamin Adolphi, Software Developer Mobile at Promon, when acting as the hacker, explained that the whole process was just a simple trick.
Why is it so easy for hackers to disrupt a Tesla car? The problem lies in the vulnerability of the Tesla Android app. The app will generate an OAuth token when the driver enters his username and password information to login. The token will be kept for 90 days and then expire -- a convenient way for customers to not type in the information every time when using it.
However, researchers found out that the token is saved in a plaintext file under the app's "sandbox" folder. An attacker could simply read the token if he has access to the Tesla driver's phone. Moreover, there can be multiple ways of modifying the app's source code to steal the login data, besides the fake wifi hot-spot trick mentioned above.
When holding the login information, the hacker could use a laptop to send well-crafted HTTP requests to the Tesla servers with the victim's OAuth token and password when necessary, to do manipulations such as unlock the car and start its engine.
Tesla is certainly to blame for not safely protecting the OAuth token. However, mobile carriers also have responsibility for protecting customers' private information from being stolen. Last year, Google provided timely security updates from the Android OS, which many carriers failed to deliver to their customers.
Promon experts suggest that Tesla's app be equipped with two-factor authentication. To begin, they should avoid saving the OAuth token in a simple cleartext as it will become an easy target for hackers. Meanwhile, the app should prevent easy access to its source code. And it should use a custom keyboard layout when drivers enter passwords so that mobile keyloggers won't be possible.