Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Malware Used To Hack and Steal Tesla Car (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials. This is possible because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection, allowing attackers to alter the app's source code and log user credentials. The OAuth token and Tesla owner's password allow an attacker to perform a variety of actions, such as opening the car's doors and starting the motor.

7 of 118 comments (clear)

  1. Android security flaw and not Tesla security flaw? by DiniZuli · · Score: 5, Informative

    Here is another take on the same story: https://electrek.co/2016/11/23...

  2. Re:Tesla Android by stooo · · Score: 3, Interesting

    This has nothing to do with the subject.
    If you give the right to your phone to start your car, don't expect your phone not to be hacked, watever the phone O.S.

    Also in general, don't expect your phone not to be hacked.

    --
    aaaaaaa
  3. I can do you one better by houghi · · Score: 4, Insightful

    I can steal one by hitting people with a Nokia phone and it isn't limited to one brand of cars.
    You can also use a toaster if it runs Linux.

    Seriously, this is just another "via the Internet" thing that is used with almost anything to pretend it is something new. The article is "You can steal a car if you steal the keys".

    --
    Don't fight for your country, if your country does not fight for you.
  4. Re: Tesla Android by Anonymous Coward · · Score: 4, Insightful

    actually,...

    Do expect Android to be hacked and all your info leaked to cave monkeys handling Google's development in some smelly jungle.

    Google getting all your data via Android is neither a hack nor a leak.

    It's a feature.

  5. Re: So don't use apps by Anonymous+Brave+Guy · · Score: 4, Interesting

    The thing that worries me is that pretty soon, you won't be able to buy any car that doesn't include a whole bunch of electronic remote communications, whether you want it or not, and regardless of whether you consider it a security and/or privacy risk.

    Here in the UK insurers routinely demand that a recognised tracker device be installed in faster/higher-end vehicles as an anti-theft measure before they will provide cover. Moreover, I don't know myself where the tracker is installed in my own vehicle, because no-one except the person who actually did the installation does; apparently the people who do it won't even tell the dealers or allow anyone else in the room while they're working. I have some reservations about that already given the obvious privacy implications and the legal requirement to have insurance to use the car. But at least that is a separate system, operated by a private company whose contract is with me and whose reputation would be on the line if it came out they were activating the tracking for any reason other than my calling them and asking them to.

    With modern cars that come with the likes of OnStar as standard, or with the new European eCall system that will be mandatory for all new cars sold in Europe within the next couple of years, you're talking about an electronic system that is intimately connected into the operational systems on the car and has remote communications capabilities. Given the notorious lack of security within a typical car's software environment, these systems seem potentially very dangerous to me, despite being well-intentioned and presumably being beneficial if you really are in a serious accident.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  6. Re: Tesla Android by yakumo.unr · · Score: 4, Informative

    "Since Android was launched over seven years ago, all Android devices have
    shared a common security model that provides every application with a secure,
    isolated environment known as an application sandbox. Android was one of
    the first operating systems to introduce the idea of sandboxing to both protect
    applications from attacks and protect the device from applications. Sandboxing
    is used for all applications on the device, including system-level applications. "

    https://static.googleuserconte...

  7. Re: So don't use apps by Anonymous Coward · · Score: 4, Interesting

    I live in eastern Europe and we're way ahead of you guys on this one. When you want to get insurance for a reasonably new car the insurance guys disassemble and rewire your OBD2 ports in a pseudo-random manner. Then they wire you a OBD2 F2F adapter whose input is your scrambled OBD2 and the output is the standard working one. In short, your car's OBD2 doesn't work without the adapter, so as long as you don't leave your adapter in the car your port is unusable without rewiring it back to a working condition.
    Now granted this is a bit of security through obscurity, but it means a thief can't easily plug a laptop in your CAN to hotwire your car. Sure, if the thief has the time to disassemble your OBD2 port and can rewire it back they can steal your car eventually. However, this turns a 30-second job into a 5-10 minute job that requires extra tools and know-how and for a lot of car thefts that's good enough as prevention.
    What I'm saying is, there's no car on the market that won't run without fancy remote/multimedia functionality. I can bet that even if the automakers want to make a car like that it will have a hell of a time getting certified.
    TL:DR; The extra functions can easily be scrambled or unplugged internally in a way that disables them completely.