Android Malware Used To Hack and Steal Tesla Car

An anonymous reader writes: By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials. This is possible because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection, allowing attackers to alter the app's source code and log user credentials. The OAuth token and Tesla owner's password allow an attacker to perform a variety of actions, such as opening the car's doors and starting the motor.

Re:Tesla Android

[stooo]

This has nothing to do with the subject.
If you give the right to your phone to start your car, don't expect your phone not to be hacked, watever the phone O.S.

Also in general, don't expect your phone not to be hacked.

Re: So don't use apps

[Anonymous+Brave+Guy]

The thing that worries me is that pretty soon, you won't be able to buy any car that doesn't include a whole bunch of electronic remote communications, whether you want it or not, and regardless of whether you consider it a security and/or privacy risk.

Here in the UK insurers routinely demand that a recognised tracker device be installed in faster/higher-end vehicles as an anti-theft measure before they will provide cover. Moreover, I don't know myself where the tracker is installed in my own vehicle, because no-one except the person who actually did the installation does; apparently the people who do it won't even tell the dealers or allow anyone else in the room while they're working. I have some reservations about that already given the obvious privacy implications and the legal requirement to have insurance to use the car. But at least that is a separate system, operated by a private company whose contract is with me and whose reputation would be on the line if it came out they were activating the tracking for any reason other than my calling them and asking them to.

With modern cars that come with the likes of OnStar as standard, or with the new European eCall system that will be mandatory for all new cars sold in Europe within the next couple of years, you're talking about an electronic system that is intimately connected into the operational systems on the car and has remote communications capabilities. Given the notorious lack of security within a typical car's software environment, these systems seem potentially very dangerous to me, despite being well-intentioned and presumably being beneficial if you really are in a serious accident.

Re:Android security flaw and not Tesla security fl

Tesla has its part of the blame. Not for the car, but for the Android app. Probably outsourced it to a webdev firm.

Re: So don't use apps

I live in eastern Europe and we're way ahead of you guys on this one. When you want to get insurance for a reasonably new car the insurance guys disassemble and rewire your OBD2 ports in a pseudo-random manner. Then they wire you a OBD2 F2F adapter whose input is your scrambled OBD2 and the output is the standard working one. In short, your car's OBD2 doesn't work without the adapter, so as long as you don't leave your adapter in the car your port is unusable without rewiring it back to a working condition.
Now granted this is a bit of security through obscurity, but it means a thief can't easily plug a laptop in your CAN to hotwire your car. Sure, if the thief has the time to disassemble your OBD2 port and can rewire it back they can steal your car eventually. However, this turns a 30-second job into a 5-10 minute job that requires extra tools and know-how and for a lot of car thefts that's good enough as prevention.
What I'm saying is, there's no car on the market that won't run without fancy remote/multimedia functionality. I can bet that even if the automakers want to make a car like that it will have a hell of a time getting certified.
TL:DR; The extra functions can easily be scrambled or unplugged internally in a way that disables them completely.