Android Malware Used To Hack and Steal Tesla Car

An anonymous reader writes: By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials. This is possible because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection, allowing attackers to alter the app's source code and log user credentials. The OAuth token and Tesla owner's password allow an attacker to perform a variety of actions, such as opening the car's doors and starting the motor.

Why bother with hacking?

[DatbeDank]

When you can get a tow truck and lift the Tesla onto it.

Re:Why bother with hacking?

[stooo]

Because a tow doesn't start the car.
If you tow it away, typically you would like to start it afterwards.

Re:Why bother with hacking?

you dont really "start" a electrical car do you?

Re:Why bother with hacking?

[stooo]

You "start" an electrical car.
The switched 12V power supply that is used to ENABLE the powertrain still has the traditionnal name "IGNITION", even if the car does not have an ignition at all ( Diesel, Electric.... ) or if the ignition signal is further gated (hybrid gasoline ....)

Re: Why bother with hacking?

yep, i'm still reading slashdot

So don't use apps

Tesla has responded that they wont be responsible for weaknesses in the platform running the app. Which is reasonable.

So - don't store a "car key" or anything of value in a phone app at this time.

Apps for controlling the stereo, map displays or extracting car computer logs are fine. But nothing that lets you take the car itself. Bringing and using a car key is not hard.

Re: So don't use apps

Note to self: Do not install apps for my cars (check - covered under my don't buy or allow IoT devices on my home network policy).

My current car has GMs OnStar system, thou it's not "active" with a subscription and Bluetooth pairing for hands free calling. I wonder of either of those have been hacked? Suppose I can find the OnStar box and unplug it.

Re:So don't use apps

[fluffernutter]

They should have called themselves Teflon, not Tesla.. Nothing seems stick to them. It's all the customer's fault.

Re: So don't use apps

[Anonymous+Brave+Guy]

The thing that worries me is that pretty soon, you won't be able to buy any car that doesn't include a whole bunch of electronic remote communications, whether you want it or not, and regardless of whether you consider it a security and/or privacy risk.

Here in the UK insurers routinely demand that a recognised tracker device be installed in faster/higher-end vehicles as an anti-theft measure before they will provide cover. Moreover, I don't know myself where the tracker is installed in my own vehicle, because no-one except the person who actually did the installation does; apparently the people who do it won't even tell the dealers or allow anyone else in the room while they're working. I have some reservations about that already given the obvious privacy implications and the legal requirement to have insurance to use the car. But at least that is a separate system, operated by a private company whose contract is with me and whose reputation would be on the line if it came out they were activating the tracking for any reason other than my calling them and asking them to.

With modern cars that come with the likes of OnStar as standard, or with the new European eCall system that will be mandatory for all new cars sold in Europe within the next couple of years, you're talking about an electronic system that is intimately connected into the operational systems on the car and has remote communications capabilities. Given the notorious lack of security within a typical car's software environment, these systems seem potentially very dangerous to me, despite being well-intentioned and presumably being beneficial if you really are in a serious accident.

Re: So don't use apps

[drewsup]

It will be behind the glove box, they always are to tap Into car data

Re: So don't use apps

[MachineShedFred]

It depends on the app, I suppose. Some car manufacturers actually thought through this - BMW ConnectedDrive will allow you to lock the doors from your phone without hassle, but the unlock feature requires a phone call where a friendly agent verifies your identity. The function isn't even in the application - it's just a button that dials their 1-800 number.

Re: So don't use apps

[MachineShedFred]

Yeah, how dare Tesla not fix Android's flaws and horrible cross-application security model. What a bunch of scammers!

Re: So don't use apps

[TheRaven64]

It's not Tesla's fault that Android is insecure. It is Tesla's fault that they encourage customers to use an app on a known-to-be-horribly-insecure platform to lock and unlock their car.

Re: So don't use apps

[JaredOfEuropa]

Thieves going after high end vehicles routinely carry GPS / GSM jammers to ensure the tracker either gets no position fix or won't be able to communicate with the mothership. The equipment isn't especially expensive or hard to come by. I wonder why insurers still demand them.

Re: So don't use apps

[phayes]

So your thinking is that Tesla should up the price of all their cars by ~$1000 and include an iPhone with every car?
Just abandon Android as insecure?

Re: So don't use apps

[fluffernutter]

If Tesla didn't feel they could get behind the security of Android then they shouldn't have made the app. Google's loss. Maybe they'll make Android more secure.

Re: So don't use apps

[fluffernutter]

I think it was Tesla's choice to do that, and they chose otherwise.

Re: So don't use apps

[fluffernutter]

Tesla didn't have to make an Android app.

Re: So don't use apps

May not be their fault for the security problem, but they could have...you know...not stored the credentials in clear text.

Re: So don't use apps

[Dare+nMc]

Right, the locked out a function from the users but not from the hackers: They were able to reverse engineer some of the software that we use for our telematics," said Dave Buchko , a BMW spokesman. "With that they were able to mimic the BMW server.â

BMW didn't even think to use https to access their cars lock and unlock during design. A quick search shows lots of issues with the BMW connected drive security.

Re: So don't use apps

I live in eastern Europe and we're way ahead of you guys on this one. When you want to get insurance for a reasonably new car the insurance guys disassemble and rewire your OBD2 ports in a pseudo-random manner. Then they wire you a OBD2 F2F adapter whose input is your scrambled OBD2 and the output is the standard working one. In short, your car's OBD2 doesn't work without the adapter, so as long as you don't leave your adapter in the car your port is unusable without rewiring it back to a working condition.
Now granted this is a bit of security through obscurity, but it means a thief can't easily plug a laptop in your CAN to hotwire your car. Sure, if the thief has the time to disassemble your OBD2 port and can rewire it back they can steal your car eventually. However, this turns a 30-second job into a 5-10 minute job that requires extra tools and know-how and for a lot of car thefts that's good enough as prevention.
What I'm saying is, there's no car on the market that won't run without fancy remote/multimedia functionality. I can bet that even if the automakers want to make a car like that it will have a hell of a time getting certified.
TL:DR; The extra functions can easily be scrambled or unplugged internally in a way that disables them completely.

Re: So don't use apps

[phayes]

"That" being what?

Re: So don't use apps

[fluffernutter]

Tesla could have only released the app on iPhone, or sold an iPhone with Tesla, no one is preventing them from doing that. They made the choice to release the app on Android so now they should stand by it.

Re: So don't use apps

[phayes]

So you think that it's Tesla's fault that Android, the widest deployed smartphone OS is a POS security wise. Ohkaaayyy...

Re: So don't use apps

[fluffernutter]

It's not their fault that Android is a security risk. You're putting words into my mouth.

Tesla can't control Android, but they can decide whether they put their app on Android or not. If Tesla is comfortable putting their name behind an Android app that can start cars, then obviously they don't think Android is the POS that you think it is. They wrote the app, they can accept the risk for it. Or, they could only publish on iPhone only and say, "We're sorry we did not feel Android was secure enough for an app that starts our cars."

It is about Tesla taking responsibility for their actions.

Re: So don't use apps

[phayes]

If you don't want people putting words into your mouth you're going to have to start explaining how you a coherent position.

So now you're claiming that Tesla should prevent people from installing insecure applications on their Android smartphones? The Tesla app isn't insecure, The token it uses to communicate with cars can just be stolen by other bad intentioned apps, something that could happen just as well on iOS.

Tesla should pull it's Android app just because some people can't stop themselves from installing even free game they see because each and every one could potentially steal the token from their android app? And for you the fault lies with Tesla and not with Google nor with the insecure practices of the owners?!?

Re: So don't use apps

[fluffernutter]

YES that's what I'm saying. I'm not saying Tesla should pull their app, I'm saying it is their choice whether they pull the app or not. If Android was not secure enough to host their app then they shouldn't have made it. You can use the car without the app, so buy and iPhone or suck it up; and I am a adamant Android user. Maybe you aren't familiar with programming but an app is only as secure as the OS it sits on. Tesla should have researched Android and knew what they were getting into. It seems like they just rush head long into everything and expect their customers to take the risk and blame. Anyway the app itself stored the tokens in plain text which was wrong, but I think it goes far beyond that.

On the other hand, I guess if a high tech company like Tesla feels Android is safe enough, then all the complaints about Android security are hot air. Nor will Google ever have any inventive to improve it.

Re: So don't use apps

[phayes]

So you're one of those blame the victim guys. I'm mostly an iPhone guy but have had pro Androids since Blackberry died. I'm not a potential Tesla owner as they have 2 wheels too many & I don't see my company buying Tesla's before I retire in a decade or two for my company car.

That Android has a security problem is no revelation to me as it is one of the reasons I chose iPhones yet even with all that said, Tesla isn't to blame here.

If you want to push Google to improve Android's Security, stop blaming the victims & start voting with your wallet by abandoning Android. Oh but that would inconvenience you by making your personal choices mean something so you'll continue to blame others and continue funnelling money to Google so they have no reason too change.

Re: So don't use apps

[MachineShedFred]

I'm not saying that there can't be vulnerabilities elsewhere in the chain, but at least they thought about having that function available on OS platforms and hardware that they have absolutely no control over, and have no remedy to fix exploits of when it's loaded onto thousands of phones with dozens of combinations of hardware / software. And, BMW does not offer remote start capabilities - the most you could do is unlock the doors. You would still need to deal with any ignition immobilizer in place once you are inside, though that has been dealt with through the OBD2 interface in the past.

Still, we're talking about now exploiting multiple vulnerabilities in various systems, as opposed to getting a user to download some piece of shit app and have their car start for you.

In your reply you basically just said "but they have some backend system not running on a phone, and not running a phone OS, and not running a phone application that was exploited in a completely different way to achieve a completely different result!" It's moving the goalposts, and mostly irrelevant to the topic at hand.

I smell a law suit here

[bogaboga]

...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection...

There is a law suit I am smelling here. Am I alone?

Re:I smell a law suit here

[geekmux]

...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection...

There is a law suit I am smelling here. Am I alone?

"The only hard part is tricking Tesla owners into installing an Android app on their phones..."

"Android Malware Used to Hack...

A lawsuit against who exactly? Android, for allowing malware onto their platform so easily, or fucking ignorant humans who don't care enough about security and install anything shoved in front of their face, infecting their phone?

My patience for both groups grows very fucking thin, but I'm having less and less of a problem these days calling out stupid people.

I blame Tesla software coders last here, because that's an easy fix by comparison.

Re:I smell a law suit here

[mrclevesque]

"I blame Tesla software coders last here, because that's an easy fix by comparison."

Sounds like what Elon said, but if it made it to court it might be decided otherwise.

Re:I smell a law suit here

[CastrTroy]

Personally, I don't really fault the makers of the Tesla app very much. Even if they had encrypted the OAuth token and taken more security measures, once the phone is rooted by some rogue app, there's only so much you can do.

It's similar to the problem of Filezilla storing FTP passwords in plaintext. Once you have malware on your machine, encrypting the passwords is going to do very little to protect them, since there are so many other ways to attack the system to get the passwords. There's also a simple fix. If you don't like how Filezilla handles passwords, use a program then use a dedicated password storage program such as KeePass or PasswordSafe to store your passwords. Similarly, if you don't like the security offered by the Tesla Android app, then you simply don't have to use the feature at all.

Re:I smell a law suit here

[geekmux]

"I blame Tesla software coders last here, because that's an easy fix by comparison."

Sounds like what Elon said, but if it made it to court it might be decided otherwise.

"I blame Tesla software coders last here, because that's an easy fix by comparison."

Sounds like what Elon said, but if it made it to court it might be decided otherwise.

Elon could legally mitigate that risk by simply ordering the software bug to be patched immediately, thus demonstrating that he actually gives a shit.

Now, go try patching stupidity and ignorance. I'd rather haul humans into a courtroom for exhibiting that behavior in order to try and curb the devolution of mankind we're seeing today in the endless race to make everything idiotproof.

Re:I smell a law suit here

[crashumbc]

While generally agree with "personal responsibility"

"...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection..."

In this day in age? Are you fucking kidding me?

Yes,I think this constitutes lawsuit worthy, they're not coders they're complete incompetent hacks.

Re: I smell a law suit here

rooted phone it doesnt matter cleartext or not.

Re:I smell a law suit here

[fnj]

For God's sake, Android is one giant security nightmare from the git go. So is iOS. So are computers in total. You can't "patch" away the reality. With great capability comes great potential for wrongdoing. The black hat is ALWAYS going to be ahead in the arms race. The black hat only has to nose around endlessly and find a single vulnerability. The good guys have to constantly plug ALL the holes that spring up. It's like trying to protect against IEDs by devising constantly stronger armor. You take what used to be a cost-effective jeep and end up with a rolling monster weighing as much as a WW II tank, gulping fuel like a drain, and costing as much as if it were solid gold. And all they do is make bigger IEDs. Even if you make the armor a foot thick including an awkward sideways-deflecting floor and bulletproof glass, they make the IEDs so big the goddam thing gets blown end-over-end and lands upside down 50 feet away, everybody inside dead from the concussion.

Re:I smell a law suit here

[fnj]

Encrypt away, and obscure it against reverse engineering, then. That didn't prevent them from breaking Enigma 75 years ago. You can barely slow them down today, and they will be laughing at you for the futility of what you attempt.

Re:I smell a law suit here

[geekmux]

For God's sake, Android is one giant security nightmare from the git go. So is iOS. So are computers in total. You can't "patch" away the reality. With great capability comes great potential for wrongdoing...

Then perhaps we should stop with the fucking "potential" feature race already.

Take one of our largest problems today. 20 years ago it was essentially impossible to "hack" a cell phone in the same way you can today due to the utter lack of features. Back then, it was more about hacking the unencrypted cellular traffic itself, which sadly we have the devolution of our Constitutional rights to thank for shit like ISMI catchers to rape innocent citizens of their privacy today. As a result, you have a very small group of companies making specialized cellular hardware in an attempt to make it hack-proof, which ironically points back to the same level of features we had when it was far more secure, as in little or none.

The core problem lies with greedy vendors, not with consumers. It is not the consumer demanding the obscene amount of "features" present today in cellular products. It's the fucking vendor feeding an unending "potential" arms race, along with their incessant demand that everything you own comes with multiple monthly revenue streams baked into the product. And this model is infectious. 20 years from now you won't even be allowed to own anything. You'll rent or lease it.

In short, fuck you greedy vendors, for making our world so damn insecure.

Android security flaw and not Tesla security flaw?

[DiniZuli]

Here is another take on the same story: https://electrek.co/2016/11/23...

Re:Tesla Android

[stooo]

This has nothing to do with the subject.
If you give the right to your phone to start your car, don't expect your phone not to be hacked, watever the phone O.S.

Also in general, don't expect your phone not to be hacked.

I can do you one better

[houghi]

I can steal one by hitting people with a Nokia phone and it isn't limited to one brand of cars.
You can also use a toaster if it runs Linux.

Seriously, this is just another "via the Internet" thing that is used with almost anything to pretend it is something new. The article is "You can steal a car if you steal the keys".

Re:I can do you one better

[AmiMoJo]

The difference is that the victim will have a much harder time convincing their insurance company and the cops that they weren't negligent and aren't running a scam.

There was a spate of thefts of BMWs and other expensive cars a few years ago. No alarms, no broken glass, cars driven away despite having immobilisers, victims accused of losing the keys etc. Turned out that you could prevent the car from locking properly, then once inside use the OBD-II diagnostic port to clone the keys and drive it away.

Re:I can do you one better

I can steal one by hitting people with a Nokia phone and it isn't limited to one brand of cars. You can also use a toaster if it runs Linux.

Seriously, this is just another "via the Internet" thing that is used with almost anything to pretend it is something new. The article is "You can steal a car if you steal the keys".

Screw stealing cars, when these things become self driving we'll get an epidemic of script kiddies hacking these things via the internet and sending them on an overland drive to Canada or Mexico just for a laugh.

Re:I can do you one better

[tehcyder]

I can steal one by hitting people with a Nokia phone and it isn't limited to one brand of cars.

That's a different level of crime though.

It's like saying that PIN numbers on bank cards are useless because someone could always kidnap and torture the information out of you.

Re:I can do you one better

This is nowhere near equivalent of your examples. This is someone picking your pocket for your keys, making a copy, and putting them back without your knowing. You wont know anything is up until your car is already gone. If you don't have security cams there's also no witnesses, not even a time frame for the crime.

It's important to bring attention to issues like this so that security loopholes get fixed, or better yet don't make it into the wild in the first place. The future is going to suck if I have to independently secure every single machine I own against many different types of attacks. I barely like dealing with my PC at home after work.

Re:I can do you one better

I actually think this is a real problem and a good hack to show the problem. The Tesla app's cryptographic keys must be stored on the device. That obviously allows an attacker with root access to obtain them. It's a reasonable security measure to add some form of obfuscation to make reverse engineering more difficult. It looks like Android already has the capability to do obfuscation in the SDK with ProGuard.

Re:Android security flaw and not Tesla security fl

Here’s a good way to look at it: when you have a car that can be unlocked and driven using an app on your phone, your phone becomes a key to your car.
Wrong!
When you have a car that can be unlocked and driven using an app on your phone the car manufacturer is a fucking hipster.

Reverse engineering protection?

I get why is a bad idea to let the OAuth token lying around in cleartext (shouldn't Adroid's compartmentailzation make sure only the relevant app has access to this? But hey, security by layered obfuscation still good for surprises, I guess).

But what the fuck is "reverse engineering protection"?

Re:Reverse engineering protection?

[stooo]

Yes, I also don't get this one, it's moot.

Re:Reverse engineering protection?

.But what the fuck is "reverse engineering protection"?

It's using single letter variable names, and re-using the same ones as much as possible. If you use a descriptive name, make sure it describes something totally different from the variables purpose.

no starting requireed

A Tesla does not need starting. Maybe switching on, or more likely going from standby mode to full power mode. Starting is for engines that burn fossil fuels.

Re:no starting requireed

Electric cars don't roll just because you press the pedal.
The motor don't need 'starting' like an engine, true. You still turn a key to switch on the controls. Not because of mechanical necessity, but as a safety feature. Kids playing in the car can't accidentally start it when you have the key - neither can thieves. Switching the car on is still called 'starting it' because of tradition. People understand what you mean. Similiar to how people talk about 'turning on the lights' even though the rotary light switch is outdated and almost always replaced with a button/toggle type switch for the last 50 years.

Re: Tesla Android

actually,...

Do expect Android to be hacked and all your info leaked to cave monkeys handling Google's development in some smelly jungle.

Google getting all your data via Android is neither a hack nor a leak.

It's a feature.

One step closer

To using Tesla autopilot to steal the car for you and having it drive itself to any location you specify.

Re:One step closer

[Rei]

It would make for a funny zero-day situation, where someone simultaneously steals every net-connected Tesla in the US, orders them to drive to a friend's house, and then shuts down all external communication with the vehicles ;) Every last road for dozens of kilometers would be clogged up as the route finding system tries to find ways to get there that aren't already jammed up.

Just a random unrelated thought: 10-20 years from now, autopilot and the like are going to be beloved by insurgent groups. One of today's preferred insurgent tactics is the VBIED, where they armour a truck up like a tank (at least from the front), load it with several tonnes of explosives, and drive it straight into enemy formations. They're very effective, even if just a small fraction of them make it through. Some groups in Syria are now experimenting with remote VBIEDs, using RF or wire communications to control the vehicle without the need to sacrifice a driver. But with autopilot? Just punch in the destination, disable / fake the driver sensors, and off it goes.

Re:One step closer

[Anonymous+Brave+Guy]

I appreciate your smiley, this is actually a serious security issue. The trouble is, it's not even an insurgent on the far side of the world driving a remote controlled weapon that is the biggest concern. It's an insurgent on the far side of the world turning your own car into a remote controlled weapon while you and your family are driving home in it from a shopping trip, along with many other cars at the same time.

I disapprove of fear-mongering over terrorism as much as the next guy, but objectively, the reason 9/11 was so devastating was that it turned an everyday facility that many of us take for granted into a weapon, unexpectedly. And the reason the botnet that took down several major websites a little while back was so devastating was that it co-opted the insecure connected devices of numerous otherwise innocent third parties to do its dirty work. The parallels with what could happen with insecure remote communications and software control systems in modern cars are disturbing, and there have already been plenty of demonstrations showing how insecure many of these systems really are today.

Re:One step closer

I think that is less of a concern.
If they implement the protections against crashing into other things properly it will be difficult to circumvent those.
So the best they will be able to do is change your destination, which you will presumably notice if you are actually in the car.

Re:One step closer

[Rei]

Indeed. The NHTSA would never approve of a situation where commands transmitted by smartphone or other data link override commands physically given from hardware inside the vehicle.

Re: One step closer

They'll just use the non unique super unstealable police key: 505050

Re:One step closer

[green1]

Of course they will. In fact, eventually they'll mandate it. They'll want the police to be able to stop your car remotely. Of course eventually someone other than the police will use the same method, but "think of the children" or "terrorists!" will cause them to implement it anyway.

Re:One step closer

[Anonymous+Brave+Guy]

I'm sorry to be the bearer of bad news, but vehicles with such vulnerabilities have already been compromised on public roads in at least one controversial demonstration. This is not a hypothetical threat. Vehicles vulnerable to this sort of attack are on the roads today, yet so far governments their regulators either don't understand the dangers or don't seem to be willing to act on them.

BREAKING NEWS!

Everything is hackable. Film at 11.

Re:BREAKING NEWS!

[stooo]

The difference is in some cases it is pre-hacked by adding backdoors. And that's especially bad !

Re:BREAKING NEWS!

The difference is in some cases it is pre-hacked by adding backdoors. And that's especially bad !

Adding backdoors? Don't be silly -- Teslas already have back doors. That's how your kids get in the car.

Breaking news!!!

You can easily take over a device if you succeed in convincing targeted user to install a malicious app, other news at 5.

Sock full of batteries

[mschaffer]

You don't even need an OS and the battery life is better. Just club someone with a sock full of batteries (don't even need to be LiPos). You don't even need to charge the batteries.

Re: Sock full of batteries

The real problem is that, just using your phone, you can start the neighbor's autonomous car and have it drive to the beech. Virtual joy rides!

Re: Sock full of batteries

[stooo]

>> you can start the neighbor's autonomous car
Nobody has neighbours with autonomous cars.

Re: Sock full of batteries

The real problem is that, just using your phone, you can start the neighbor's autonomous car and have it drive to the beech. Virtual joy rides!

To the beach? Hack a few tens of thousands of self driving Teslas , send them to the Bonneville salt flats and have them arrange themselves into a giant image like Vlad Putin riding a bear, or something even tackier than that, like .... ummmm... Ben Carson's Jesus painting?

Re: Sock full of batteries

Paintings? How about DDOS the freeways.

Re: Tesla Android

You seem to be having some trouble wielding the english language.

Re: Android security flaw and not Tesla security f

It would be cool though if I could plug in an xbox controller to drive with.

Customer service

[fluffernutter]

I miss the days where a company would be considered a bad company if they blamed customers for problems that happened with something they created and sold as a feature.

Re: Customer service

[MachineShedFred]

I miss the days when people actually took responsibility for doing stupid things.

Would you blame Ford if someone left the keys in their car when running into a convenience store and came back out to see their car gone? Because that's what you are doing here.

Fuck off, troll.

Re:Customer service

[tbannist]

I don't know, this does sound a little bit like blaming Ford because your car was stolen when you handed the keys to some guy wearing a red coat and hat outside a posh restaurant. Is it really a security flaw with your car if the restaurant doesn't actually have valet parking?

And from the other article someone posted above, this apparently requires that you have the Tesla app on an out-of-date Android phone, the flaw used in the demonstration to steal the OAUTH data has already been patched...

Re: Customer service

[fluffernutter]

Apple makes much profit, I am constantly reminded because people don't understand technology. Elon was so concerned that people wouldn't understand Autopilot that he had to put a page in the manual. Can Tesla confirm that people are properly educated on this? This isn't a stupid people doing stupid things. It may seem stupid to you and I because if we are here we understand technology. It is obvious that a lot of people don't. They need help in the Apple Store setting up a MacBook for crying out loud. If a company that they admire is behind something, they will accept it without questioning.

Re:Customer service

[fluffernutter]

As a Tesla owner, I didn't put the app on Android. Therefore it is more like Tesla handing your keys to some guy wearing a red coat and hat outside a posh restaurant. Or at the very least, it is like handing the valet the key that isn't supposed to open the trunk but yet finding something from the trunk missing because there was a flaw with the key that allowed the valet to open the trunk after all.

Re:Customer service

[Fire_Wraith]

I don't see where Tesla blamed the customers for this. I don't see where Tesla said anything in TFA, actually. This is also a proof of concept attack, not a real-world one. Tesla also has a (serious) bug bounty program, which is more than can be said of many other car manufacturers. Hell, Tesla even brought one of its cars to Defcon in 2015 and had it on the main floor, inviting people to try and hack it as advertisement for said program.

If there's one thing I can guarantee, it's that there will be vulnerabilities in stuff, even stupid ones. This isn't a story unless Tesla somehow refuses to pay or refuses to fix it, which TFA says -nothing- about. I'm sort of surprised that they didn't reach out to get a response from Tesla, even a milquetoast "we're looking into it" or something.

Re: Customer service

[MachineShedFred]

The user downloaded a sketchy compromised trojan horse app. This is remarkably easy not to do - millions upon millions of people manage to not do that every day.

Stop acting like you need some level of knowledge to not have your shit exploited - millions manage this feat every single day. They don't download sketchy apps from sketchy sources, or they actually pay attention to the parade of warnings that Android gives when you install an app, and that app is asking for permissions.

You're suggesting that people need some advanced knowledge in order to operate Android securely, which is patently false. If it was true, then Android is even more fucked up security-wise than I already thought, and I don't know why every single Android user isn't going through the proceedings of dealing with identity fraud right now.

Oh, because it's not true. That's why not.

Re:Android security flaw and not Tesla security fl

Tesla has its part of the blame. Not for the car, but for the Android app. Probably outsourced it to a webdev firm.

Why call it "Android Malware"

Bit of a biased article calling it specifically "Android malware", when the same malware exploiting the same security issue on Tesla's part (oauth as plaintext) on iOS would work the same way.

Specific targeting

[nitehawk214]

To use this one would have to specifically target the android phone of a specific Tesla owner.

If someone wants to steal a specifically single person's car there are vastly easier ways to do it. Such as, hold a gun to the person's head and demand they turn over the key.

None of this was done in the wild, making the title needlessly click baity.

Re: Tesla Android

[yakumo.unr]

"Since Android was launched over seven years ago, all Android devices have
shared a common security model that provides every application with a secure,
isolated environment known as an application sandbox. Android was one of
the first operating systems to introduce the idea of sandboxing to both protect
applications from attacks and protect the device from applications. Sandboxing
is used for all applications on the device, including system-level applications. "

https://static.googleuserconte...

Re: Tesla Android

[AC-x]

iOS has had its share of remote exploitable root access vulnerabilities over the years, sandboxing (which Android does too) can't stop you once you have root.

Uhh...

Actually, the NHtSA and Other regulatory agencies have completely abdicated on their responsibility to ensure safety in the field of software assurance. Only the EPA has done anything to require that software be demonstrated to be correct or have any protection from hacking. Insurance companies, to an extent, do, but they are only reactive in that mode.

Now the question is:

[LordHighExecutioner]

If I use a Samsung Galaxy Notes 7 to steal a Tesla, what happens ?!?

Re:Now the question is:

It would be one of those rare occasions where a Tesla actually catches fire.

Re:Now the question is:

[RubberDogBone]

If I use a Samsung Galaxy Notes 7 to steal a Tesla, what happens ?!?

Use a Note 7 to steal a Tesla and crash it into the back of a Ford Pinto hatchback.

That should make a nice explosion visible from orbit.

Morons

People saying they can club someone and steal their keys are morons.

While true, it adds assault or murder to the charges if/when caught. Quite likely increases the likelihood of detection.

Also, the keys are not stolen. Just copied. So those analogies are also wrong.

Re:Android security flaw and not Tesla security fl

[cloud.pt]

My Android developer take on this same story:

It is Tesla's fault. Why?

They decide which target sdk and which min sdk version they support (compile sdk doesn't really matter for liability purposes). They should be aware of the consequences of supporting older versions. If they use a feature that is vulnerable in one of the versions they support, it's CLEARLY their fault ;-)

This reminds me of a question I once answered - someone wanted to store passwords on Android's SharedPreferences for "remember password" feature. Someone told them to use SharedPreferences. I replied stating SharedPreferences can be seen in cleartext if the an app is using root to poll the filesystem (SharedPreferences' defense is nothing more than storing them in filesystem encrypted files, which # simply bypasses). Whose fault is it that a phone is rooted/rootable or that the app escalated by itself? Doesn't matter. These are clear case of snowball growing, but in practice, if you're using a feature of an API for which you can see the source (because you can, it's AOSP...), you're always to blame for the dangers you put on your software. I learned that the soft way, and so did Tesla - they better prevent the hard way from happening with a quick fix. As they probably are storing the token in a SharedPref, the secure-preferences lib probably solves their problem or heavily mitigates attacks.

Wrong target

[Bert64]

Trying to prevent reverse engineering is pointless, all you can do is make things more difficult and in doing so, making your code more complicated and harder to debug or potentially unreliable.
The fact is if you access something from a compromised device then you run the risk of whatever you're accessing being compromised too.

Re:Wrong target

+1 on this. They could add encryption and require the user to type in a pin/password, but if a user permits malware on their device it could just wait and grab the data when the user accesses it.

The OAuth token is protected by file ACLs like it should be.

If user's want additional protection they should install anti-virus that can detect unknown processes running as root privilege. If that is seen then all the tokens should simply be erased immediately.

Re: Tesla Android

If you have rooted the OS then it would still be possible to do this type of exploit, even on iOS. Just would need to proxy the network code so that it looks for the OAuth token and sends it somewhere before applying the SSL encryption. Or if the token is stored in the keychain it would be possible on a rooted device to access the keychain ignoring the sandboxing walls.

Re: Tesla Android

"Since Android was launched over seven years ago, all Android devices have
shared a common security model that provides every application with a secure,
isolated environment known as an application sandbox. Android was one of
the first operating systems to introduce the idea of sandboxing to both protect
applications from attacks and protect the device from applications. Sandboxing
is used for all applications on the device, including system-level applications. "

https://static.googleuserconte...

Well, thank you for the dissertation here, but unfortunately this has done FUCK ALL to actually prevent or protect consumers using the Android ecosystem.

The fucking pathetic part is it's become so systemic that it appears Android consumers want it that way.

Switch to Android?

[BigBuckHunter]

You mean I have to switch to an Android to steal Teslas? I'm sorry, but that's a deal breaker.

Re:Switch to Android?

.. no? The Tesla's owner has to be running Android. Jesus. What happened to this place?

Re: Android security flaw and not Tesla security f

it's a webapp.
uses a web service.

doesnt matter when if rooted the text input can be read anyways. the article is stupid.

It's because Tesla (the name) spells STEAL

[Provocateur]

and you're simply doing what you were told

Re:It's because Tesla (the name) spells STEAL

Tesla doesn't spell STEAL. It spells Tesla. Were you trying to make an anagram joke there? If so, any chance you could maybe try a little harder next time?

Re: Tesla Android

Make a claim that is easily proven wrong. Have someone refute claim with evidence. Move goalposts. Whine about something else. Rinse. Repeat.

insert Android FUD .,.

[khz6955]

So let me see if I understand correctly, if you download and install malware on your Android device, you'll get hacked, just where is the technology angle?

Re: Tesla Android

English, a spoken language, evolved with a set of noise-tolerant redundancy features. If you didn't understand that, the trouble is yours as well.

Why steal a connected car?

Aren't Teslas so connected that stealing them can only be a short term endeavor?

Maybe you'd get a joyride out of it, but the car is totally trackable so you'd better make it real short.

13x less likely to be stolen than avg car because

[RhettLivingston]

Teslas are 13x less likely to be stolen than an average car according to Teslas are hard to steal.

The reasons are multifold. Starting the car and driving it off is the easy part. The few Teslas stolen to date have been largely due to what might be considered extreme negligence on the owners part - like leaving the doors open and the fob inside.

But is that negligence? The car is totally connected and obscenely trackable. Getting away with stealing a Tesla would mean disconnecting it forever and thus losing a lot of its value. For example, you could never get a free recharge. I wonder how many of those few cars stolen have been recovered. I'd bet the number is high.

So, you steal it for parts? Wrong! There is virtually no used parts market. Tesla owners tend to buy their parts new.

It seems that the best you could hope for is likely a very quick joyride.

My question is "why this article now"? It is very sensationalist. I'm not questioning the efforts of those who found and reported the attack route. But why widely disseminate it to the general public without noting that Teslas are amongst the least likely to be stolen cars in the world. Is this an attack piece?

Security 101

[Macdude]

Security 101
1. If you can do something remotely, so can someone else.

Re: Tesla Android

Except that apps can write encrypted information inside their sandbox.

Blame Tesla

[manu0601]

I see many people blaming Tesla, but in my opinion, assuming the OS can keep a cookie secret is not a security mistake. The flaw is in the OS here.

Name of app

[theatrecade]

Is it called Edison?

Another fake anti-Tesla story

The same Slashdot that warns us about fake Anti-Tesla stories serves up one itself, literally on the SAME DAY!

This story is false on three counts (A) The hack was possible not because of the Tesla app but because of a weakness in the Android Operating system. (B) the flaw in the operating system had already been patched before the hack and before the story went out. (C) No Tesla vehicle was actually stolen by this hack. Indeed Tesla cars are amongst the safest when it comes to theft prevention.

See: https://electrek.co/2016/11/23/tesla-hacker-steal-car/

Re: Tesla Android

This:

Sand boxing apps has been around forever since JS started and has done shit else to prevent malware from executing. Ride that hype train bro.

I CAN STEAL ALL YOUR DATA!!!

I just need you to install this free app from a developer you have never heard of...