Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Malware Used To Hack and Steal Tesla Car (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials. This is possible because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection, allowing attackers to alter the app's source code and log user credentials. The OAuth token and Tesla owner's password allow an attacker to perform a variety of actions, such as opening the car's doors and starting the motor.

2 of 118 comments (clear)

  1. Android security flaw and not Tesla security flaw? by DiniZuli · · Score: 5, Informative

    Here is another take on the same story: https://electrek.co/2016/11/23...

  2. Re: Tesla Android by yakumo.unr · · Score: 4, Informative

    "Since Android was launched over seven years ago, all Android devices have
    shared a common security model that provides every application with a secure,
    isolated environment known as an application sandbox. Android was one of
    the first operating systems to introduce the idea of sandboxing to both protect
    applications from attacks and protect the device from applications. Sandboxing
    is used for all applications on the device, including system-level applications. "

    https://static.googleuserconte...