Updates and precisions since this blog post became public: Read more.
Our researchers have demonstrated that because of lack of security in the Tesla smartphone app, cyber criminals could take control of the company’s vehicles, to the point where they can track and locate the car in real-time, and unlock and drive the car away unhindered. Such a hack gives criminals total control of the vehicle, providing additional functionality to that exposed by Keen Security Labs in a different hack in late September.
According to TrendMicro, nearly 90 percent of Android devices are exposed to at least one critical vulnerability, because of Android handset makers’ failure to deliver patches. Also according to a recent study, mobile users are massively unaware of cyber threats, with an overwhelming 89 percent of respondents admitting they wouldn’t know if their device has been infected through a cyber attack.
Therefore, it is imperative that IT leaders extend their security remit, and take proactive steps to ensure that the data held on customers’ mobile devices is just as safe from malware and other threats as the data hosted on their servers.
As illustrated the demonstration video, our experts have been able to take full control of a Tesla vehicle, including locating and tracking the car, opening the doors and enabling its keyless driving functionality. Crucially, this is all done by attacking and taking control over the Tesla app, and underlines the vital importance of watertight app security, and the wider implications this could have for IoT-connected devices in general.
An analysis of the functionality provided by the Tesla app indicated that the following actions are possible (among many others that were not investigated further):
- Locate and track the car.
- Open the doors of the car.
- Enable the keyless driving functionality that makes it possible to drive the car without the key fob present.
Being able to perform these actions below, criminals are able to steal a Tesla.
The actions are performed by sending an HTTP request to the Tesla server. All the requests need to provide an OAuth token. This token is obtained by authenticating using the username and password. The first time the user logs into the Tesla app, the token is obtained and then stored in cleartext in a file in the app’s sandbox folder. When the app is restarted, the token is read and used for subsequent requests.
In our tests, this token was valid for 90 days, meaning that the user has to re-enter his username and password once in a while. Stealing this token enables an attacker to locate the car and open its doors. In order to enable keyless driving, the password is required as well. Because of that, the hack focused on obtaining the username and password.
So how can the username and password of a Tesla user be determined?
There are many ways, but here, the following attack is performed: The Tesla app is modified where code was added to steal the username and password and sent to an attacker-controlled server. In order to trigger this code, the user needs to log in again. The Tesla app can be tricked into requiring the user to log in by simply removing the stored token.
But how can the Tesla app be replaced and the token be manipulated? This can be done with a privilege escalation attack similar to rooting apps like Towelroot and Kingroot or malware like Godless and HummingBad. Root permissions can be obtained and the above-mentioned actions can be performed.
The only thing left to do is to trick the Tesla owner into installing this malicious app. Again, there are many ways. One way is through a phishing attack where a free Wi-Fi hotspot is created. Preferably the name of the Wi-Fi network is related to something close by, e.g. the name of a nearby burger restaurant.
When the Tesla owner connects to the Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners. In this example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed.
After the Tesla owner has installed and started the malicious app, it will then gain root permissions and replace the Tesla app. When the user starts the app the next time, he will be prompted to provide his username and password. The manipulated Tesla app then sends the username and password to an attacker-controlled server and the attacker is then able to steal the Tesla owner’s car by making a few HTTP requests.
Possible improvements to improve the security of the app:
The OWASP Mobile Security Project’s Top Ten Mobile Risks for 2014 provides a good foundation. Below are some of our findings.
- The application should detect that it has been modified.
- The authentication token should not be stored in clear text.
- The security of the authentication can be improved by requiring two-factor authentication.
- The app should provide its own keyboard for entering the username and password. Otherwise, malicious third party keyboards can act as keyloggers to obtain the user’s credentials.
- The app should be protected against reverse engineering.
While most of these should not be necessary if one could trust the user’s device to not be compromised, the reality is that most Android users are at risk because the latest Android version is not available to them.
Your end-users are the weak link in mobile security!
With mobile phones now an everyday item, the ideal of safe usage can always be compromised by human error. It is impossible to control how every single user goes about using their mobile device, whether you are a car manufacturer, a retailer or a bank.
In an age where hackers are an ever-growing force to be reckoned with but many users remain ignorant of the risks, embracing Runtime Application Self-Protection (RASP) technology is a hugely effective way for app developers to stay ahead of the game.