Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Malware Used To Hack and Steal Tesla Car (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials. This is possible because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection, allowing attackers to alter the app's source code and log user credentials. The OAuth token and Tesla owner's password allow an attacker to perform a variety of actions, such as opening the car's doors and starting the motor.

19 of 118 comments (clear)

  1. I smell a law suit here by bogaboga · · Score: 2

    ...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection...

    There is a law suit I am smelling here. Am I alone?

    1. Re:I smell a law suit here by fnj · · Score: 2

      For God's sake, Android is one giant security nightmare from the git go. So is iOS. So are computers in total. You can't "patch" away the reality. With great capability comes great potential for wrongdoing. The black hat is ALWAYS going to be ahead in the arms race. The black hat only has to nose around endlessly and find a single vulnerability. The good guys have to constantly plug ALL the holes that spring up. It's like trying to protect against IEDs by devising constantly stronger armor. You take what used to be a cost-effective jeep and end up with a rolling monster weighing as much as a WW II tank, gulping fuel like a drain, and costing as much as if it were solid gold. And all they do is make bigger IEDs. Even if you make the armor a foot thick including an awkward sideways-deflecting floor and bulletproof glass, they make the IEDs so big the goddam thing gets blown end-over-end and lands upside down 50 feet away, everybody inside dead from the concussion.

  2. Re:Why bother with hacking? by stooo · · Score: 2

    Because a tow doesn't start the car.
    If you tow it away, typically you would like to start it afterwards.

    --
    aaaaaaa
  3. Android security flaw and not Tesla security flaw? by DiniZuli · · Score: 5, Informative

    Here is another take on the same story: https://electrek.co/2016/11/23...

  4. Re:Tesla Android by stooo · · Score: 3, Interesting

    This has nothing to do with the subject.
    If you give the right to your phone to start your car, don't expect your phone not to be hacked, watever the phone O.S.

    Also in general, don't expect your phone not to be hacked.

    --
    aaaaaaa
  5. I can do you one better by houghi · · Score: 4, Insightful

    I can steal one by hitting people with a Nokia phone and it isn't limited to one brand of cars.
    You can also use a toaster if it runs Linux.

    Seriously, this is just another "via the Internet" thing that is used with almost anything to pretend it is something new. The article is "You can steal a car if you steal the keys".

    --
    Don't fight for your country, if your country does not fight for you.
  6. Re: Tesla Android by Anonymous Coward · · Score: 4, Insightful

    actually,...

    Do expect Android to be hacked and all your info leaked to cave monkeys handling Google's development in some smelly jungle.

    Google getting all your data via Android is neither a hack nor a leak.

    It's a feature.

  7. Sock full of batteries by mschaffer · · Score: 2

    You don't even need an OS and the battery life is better. Just club someone with a sock full of batteries (don't even need to be LiPos). You don't even need to charge the batteries.

  8. Re: So don't use apps by Anonymous+Brave+Guy · · Score: 4, Interesting

    The thing that worries me is that pretty soon, you won't be able to buy any car that doesn't include a whole bunch of electronic remote communications, whether you want it or not, and regardless of whether you consider it a security and/or privacy risk.

    Here in the UK insurers routinely demand that a recognised tracker device be installed in faster/higher-end vehicles as an anti-theft measure before they will provide cover. Moreover, I don't know myself where the tracker is installed in my own vehicle, because no-one except the person who actually did the installation does; apparently the people who do it won't even tell the dealers or allow anyone else in the room while they're working. I have some reservations about that already given the obvious privacy implications and the legal requirement to have insurance to use the car. But at least that is a separate system, operated by a private company whose contract is with me and whose reputation would be on the line if it came out they were activating the tracking for any reason other than my calling them and asking them to.

    With modern cars that come with the likes of OnStar as standard, or with the new European eCall system that will be mandatory for all new cars sold in Europe within the next couple of years, you're talking about an electronic system that is intimately connected into the operational systems on the car and has remote communications capabilities. Given the notorious lack of security within a typical car's software environment, these systems seem potentially very dangerous to me, despite being well-intentioned and presumably being beneficial if you really are in a serious accident.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  9. Re:One step closer by Anonymous+Brave+Guy · · Score: 2

    I appreciate your smiley, this is actually a serious security issue. The trouble is, it's not even an insurgent on the far side of the world driving a remote controlled weapon that is the biggest concern. It's an insurgent on the far side of the world turning your own car into a remote controlled weapon while you and your family are driving home in it from a shopping trip, along with many other cars at the same time.

    I disapprove of fear-mongering over terrorism as much as the next guy, but objectively, the reason 9/11 was so devastating was that it turned an everyday facility that many of us take for granted into a weapon, unexpectedly. And the reason the botnet that took down several major websites a little while back was so devastating was that it co-opted the insecure connected devices of numerous otherwise innocent third parties to do its dirty work. The parallels with what could happen with insecure remote communications and software control systems in modern cars are disturbing, and there have already been plenty of demonstrations showing how insecure many of these systems really are today.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  10. Re:Android security flaw and not Tesla security fl by Anonymous Coward · · Score: 2, Interesting

    Tesla has its part of the blame. Not for the car, but for the Android app. Probably outsourced it to a webdev firm.

  11. Specific targeting by nitehawk214 · · Score: 2

    To use this one would have to specifically target the android phone of a specific Tesla owner.

    If someone wants to steal a specifically single person's car there are vastly easier ways to do it. Such as, hold a gun to the person's head and demand they turn over the key.

    None of this was done in the wild, making the title needlessly click baity.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  12. Re: Tesla Android by yakumo.unr · · Score: 4, Informative

    "Since Android was launched over seven years ago, all Android devices have
    shared a common security model that provides every application with a secure,
    isolated environment known as an application sandbox. Android was one of
    the first operating systems to introduce the idea of sandboxing to both protect
    applications from attacks and protect the device from applications. Sandboxing
    is used for all applications on the device, including system-level applications. "

    https://static.googleuserconte...

  13. Re: So don't use apps by JaredOfEuropa · · Score: 2

    Thieves going after high end vehicles routinely carry GPS / GSM jammers to ensure the tracker either gets no position fix or won't be able to communicate with the mothership. The equipment isn't especially expensive or hard to come by. I wonder why insurers still demand them.

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  14. Re: So don't use apps by phayes · · Score: 2

    So your thinking is that Tesla should up the price of all their cars by ~$1000 and include an iPhone with every car?
    Just abandon Android as insecure?

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  15. Re:Customer service by tbannist · · Score: 2

    I don't know, this does sound a little bit like blaming Ford because your car was stolen when you handed the keys to some guy wearing a red coat and hat outside a posh restaurant. Is it really a security flaw with your car if the restaurant doesn't actually have valet parking?

    And from the other article someone posted above, this apparently requires that you have the Tesla app on an out-of-date Android phone, the flaw used in the demonstration to steal the OAUTH data has already been patched...

    --
    Fanatically anti-fanatical
  16. Re:Android security flaw and not Tesla security fl by cloud.pt · · Score: 2

    My Android developer take on this same story:

    It is Tesla's fault. Why?

    They decide which target sdk and which min sdk version they support (compile sdk doesn't really matter for liability purposes). They should be aware of the consequences of supporting older versions. If they use a feature that is vulnerable in one of the versions they support, it's CLEARLY their fault ;-)

    This reminds me of a question I once answered - someone wanted to store passwords on Android's SharedPreferences for "remember password" feature. Someone told them to use SharedPreferences. I replied stating SharedPreferences can be seen in cleartext if the an app is using root to poll the filesystem (SharedPreferences' defense is nothing more than storing them in filesystem encrypted files, which # simply bypasses). Whose fault is it that a phone is rooted/rootable or that the app escalated by itself? Doesn't matter. These are clear case of snowball growing, but in practice, if you're using a feature of an API for which you can see the source (because you can, it's AOSP...), you're always to blame for the dangers you put on your software. I learned that the soft way, and so did Tesla - they better prevent the hard way from happening with a quick fix. As they probably are storing the token in a SharedPref, the secure-preferences lib probably solves their problem or heavily mitigates attacks.

  17. Re: So don't use apps by Anonymous Coward · · Score: 4, Interesting

    I live in eastern Europe and we're way ahead of you guys on this one. When you want to get insurance for a reasonably new car the insurance guys disassemble and rewire your OBD2 ports in a pseudo-random manner. Then they wire you a OBD2 F2F adapter whose input is your scrambled OBD2 and the output is the standard working one. In short, your car's OBD2 doesn't work without the adapter, so as long as you don't leave your adapter in the car your port is unusable without rewiring it back to a working condition.
    Now granted this is a bit of security through obscurity, but it means a thief can't easily plug a laptop in your CAN to hotwire your car. Sure, if the thief has the time to disassemble your OBD2 port and can rewire it back they can steal your car eventually. However, this turns a 30-second job into a 5-10 minute job that requires extra tools and know-how and for a lot of car thefts that's good enough as prevention.
    What I'm saying is, there's no car on the market that won't run without fancy remote/multimedia functionality. I can bet that even if the automakers want to make a car like that it will have a hell of a time getting certified.
    TL:DR; The extra functions can easily be scrambled or unplugged internally in a way that disables them completely.

  18. 13x less likely to be stolen than avg car because by RhettLivingston · · Score: 2

    Teslas are 13x less likely to be stolen than an average car according to Teslas are hard to steal.

    The reasons are multifold. Starting the car and driving it off is the easy part. The few Teslas stolen to date have been largely due to what might be considered extreme negligence on the owners part - like leaving the doors open and the fob inside.

    But is that negligence? The car is totally connected and obscenely trackable. Getting away with stealing a Tesla would mean disconnecting it forever and thus losing a lot of its value. For example, you could never get a free recharge. I wonder how many of those few cars stolen have been recovered. I'd bet the number is high.

    So, you steal it for parts? Wrong! There is virtually no used parts market. Tesla owners tend to buy their parts new.

    It seems that the best you could hope for is likely a very quick joyride.

    My question is "why this article now"? It is very sensationalist. I'm not questioning the efforts of those who found and reported the attack route. But why widely disseminate it to the general public without noting that Teslas are amongst the least likely to be stolen cars in the world. Is this an attack piece?