For the original blog post, read here.
This attack is not Tesla specific, and can in generalised form be used against any app, however, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.
One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been done to encrypt it, or otherwise protect it. Getting access to this one piece of data alone will get you the location of the car, ability to track the car and being able to unlock the car.
Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behaviour that would send the credentials out of the app to a server.
- The malware used in this demonstration was installed from Google Play using
a social engineering technique involving the free public Wifi. The user does not need to authorize installing apps from untrusted sources in this case. Several other ways of infecting the device exists, and some requires the attacker to use a much more targeted approach (e.g. exploiting vulnerability in another app, MMS, etc). These aren’t always as effective as using the public Wifi approach.
- The malware used a local privilege escalation attack, affecting all Android devices up to and including Android 5.1. Newer escalation attacks exists, also affecting Android 6, but this is not the point of this demonstration. According to the Android Developer dashboard: As of November 2016,
– 0.3% of all Android devices use Android 7 from 2016.
– 24% use Android 6 from 2015. This means that 75% of all Android devices are using old versions that are vulnerable to our specific attack. Many Phone manufacturers do not update the firmware after a certain time (1-2 years), which means they will never receive Android 6 or Android 7.
- The attacked device in this demonstration was a Samsung Galaxy A5 (2014 edition). Not rooted.
It is important to note that the same malicious intent could have been achieved without the need of privilege escalation, for example by: Installing ‘custom keyboard’ or ‘screen reader’ acting as spyware (keylogger) to steal the username and password.
- Re-package the app (in the way as the described attack variant), and tricking the user into installing the re-packaged Tesla app through ‘side-loading’. The core of the problem is that it currently requires rather low technical skills and very little effort for a criminal to perform this kind of attack.
If Tesla had followed best practice in security (e.g. as recommended by OWASP), including applying self-protecting capabilities inside the app, it would have required much higher technical skills and much more effort – to perform such an attack.
Promon will not distribute or otherwise make available the tools, or attack software used in the demonstration.
For the record, we admire Tesla as a company.