A security demonstration revealed that the Tesla app is vulnerable to attacks due to storing sensitive data in plain text and lacking protective measures, making it easy for attackers to exploit.
For the original blog post, read here.
This attack is not Tesla-specific and can, in generalized form, be used against any app. However, the Tesla app did not offer any resistance, which would require time-consuming effort to exploit.
One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been made to encrypt it or otherwise protect it. Access to this one piece of data alone will get you the location of the car, the ability to track the car, and the ability to unlock the car.
Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behavior that would send the credentials out of the app to a server.
- The malware used in this demonstration was installed from Google Play using
a social engineering technique involving free public Wifi. In this case, the user does not need to authorize the installation of apps from untrusted sources. Several other ways of infecting the device exist, and some require the attacker to use a much more targeted approach (e.g., exploiting a vulnerability in another app, MMS, etc.). These aren’t always as effective as using the public Wifi approach. - The malware used a local privilege escalation attack, affecting all Android devices up to and including Android 5.1. Newer escalation attacks also affect Android 6, but this is not the point of this demonstration. According to the Android Developer Dashboard, as of November 2016,
- 0.3% of all Android devices have been using Android 7 since 2016
- 24% have used Android 6 since 2015. This means that 75% of all Android devices use old versions that are vulnerable to our specific attack. Many Phone manufacturers do not update the firmware after a specific time (1-2 years), which means they will never receive Android 6 or Android 7.
- The attacked device in this demonstration was a Samsung Galaxy A5 (2014 edition). Not rooted. It is important to note that the same malicious intent could have been achieved without the need for privilege escalation, for example, by Installing a ‘custom keyboard’ or ‘screen reader’ acting as spyware (keylogger) to steal the username and password.
- Re-package the app (in the way as the described attack variant), and tricking the user into installing the re-packaged Tesla app through ‘side-loading’. The core of the problem is that it currently requires relatively low technical skills and very little effort for a criminal to perform this kind of attack.
If Tesla had followed best security practices (e.g., as recommended by OWASP), including applying self-protecting capabilities inside the app, it would have required much higher technical skills and much more effort – to perform such an attack.
Promon will not distribute or otherwise make available the tools or attack software used in the demonstration.
