Android Malware Used to Hack and Steal a Tesla Car

BleepingComputer.com ^ | November 25, 2016 | By Catalin Cimpanu

[Swordmaker]

By infecting a Tesla owner's phone with Android malware, a car thief can hack and then steal a Tesla car, security researchers have revealed this week.

Previous attempts to hack Tesla cars attacked the vehicle's on-board software itself. This is how Chinese security researchers from Keen Lab have managed to hack a Tesla Model S last month, allowing an attacker to control a car from 12 miles away.

Security experts from Norwegian security firm Promon have taken a different approach, and instead of trying complicated attacks on the car's firmware, they have chosen to go after Tesla's Android app that many car owners use to interact with their vehicle.

Tesla Android app is the hackers' entry point

By default, when Tesla owners install the Android app, they'll have to enter a username and password, for which the app generates an OAuth token. The app will use this token every time the user re-opens his app, so the user won't have to enter a username and password tens of times per day.

The app doesn't keep this token forever, but deletes it after 90 days, and asks the user for his username and password again.

Promon researchers have discovered that the Tesla app keeps this token in a plaintext file, in the app's "sandbox" folder. An attacker can read this token if he has access to the user's phone.

Android app saves OAuth token in cleartext

Researchers say that it's easy for an attacker to create a malicious Android app, that contains rooting exploits such as Towelroot and Kingroot. These exploits can be used to escalate the malicious app's priviliges and read data or alter other apps.

While the token allows an attacker to perform several actions, he can't start a Tesla car. For this he needs the user's password.

Promon researchers say that if the malware deletes the OAuth token from the user's phone, the app will prompt the user to enter his password again, providing the perfect opportunity to collect the user's password.

Attackers also modify the Tesla app's source code to steal login data

Researchers say that this is easy and can be done by modifying the original Tesla app's code. Since the attacker has already rooted the user's phone, the attacker can alter the Tesla app and send a copy of the victim's username and password to the attacker.

With this data in hand, the attacker can perform a series of actions, such as using the car's keyless driving functionality and start the engine, open doors, or track the car on the road. Other actions are also theoretically possible, but researchers haven't tested all of them.

All these are perfomed just by sending well-crafted HTTP requests to the Tesla servers with the victim's OAuth token, and password, when necessary.

Victims must install a malicious app on their phones first

For all of this to be possible, the main key is that the attacker convinces the victim to install a rogue app on his Android device.

In a video below, the Promon team reveals a simple social engineering trick that fools a user to install a malicious app on his phone by promising the victim a free meal at a local restaurant.

While Tesla is to blame for failing to protect the OAuth token in their app, mobile cariers are also at fault. For the past year, Google has been providing timely security updates for the Android OS, which many carriers have been failing to deliver to their customers.

Promon engineers recommend that the Tesla app provide two-factor authentication, should avoid storing the OAuth token in cleartext, prevent easy access to its source code, and use a custom keyboard layout when entering passwords to fight against mobile keyloggers.

[Swordmaker]

Ping for your list

[Swordmaker]

Video Demonstration on site of a Tesla being stolen after hacker steals user name and password from malicious Android app loaded on to owners phone.

[Paladin2]

I have Zer0 desire to have my vehicles to be in any way networked. CAN makes it too late in many ways.

[Arthur McGowan]

Tesla.

Not the car of whistleblowers.

[John Robinson]

Neat app. Wholly stupid idea. Doubly so for the Internet of Things. It is amazing, with two decades since the Internet boom, we are still living in the tech Wild Wild West. I am actually amazed more things don’t get p0wned.

[Daniel Ramsey]

Just pull out a key fuse when you park it.

[Swordmaker]

John, a couple of years ago a hacker named Charlie Miller demonstrated the ability to hack into a Jeep while it was being driven. He could literally control almost everything about that Jeep including turning the windshield wipers on and off, changing the gears, controlling the radio/entertainment system, shutting down the engine, etc. He even had power over the acceleration, braking, and steering to a limited degree. My question is why is any vehicle capable of being connected to the internet have its SYSTEMS on the network while on the road? These capabilities should be hardware locked out from the network when the vehicle is moving. That seems to me to be a no-brainer.

Sometimes an engineer's urge to add more bells and whistles overwhelms the sense God gave an earthworm. . . and they pile on and pile on, regardless of the security of what's being added!

[FlyFisher]

There isn’t a millennial that even knows what a fuse is. Your sir, like me, are old school.

FRegards.

[dp0622]

I’m 48 and I just feel the old, no school!

[John Robinson]

Crazy. Security is an after-thought, bolt-on if there’s time. Until security is the foundation of designs, systems will routinely be compromised. With tragic consequences at this pace.

[ThunderSleeps]

Another app vulnerability, though definitely a niche market... - ANDROID PING!
Android Ping! If you want on or off the Android Ping List, Freepmail me.

---

My take on it: the phrase "Victims must install a malicious app on their phones first..." is key here. It is becoming obvious that with any of the major smart phone systems - Android, Apple, Windows - the primary vulnerability is from the user installing malicious apps. We are our own worst enemies.

[Daniel Ramsey]

I used to take a fuel pump relay out on my then new years ago Silverado, i had a known burnt out one, i had a mark on the bad one, swapped them out. Thats fine unless you had another old school car thief that knew tricks like that.

When i was much younger and i had a 56 chevy hotrod i wired the coil wire throught a cigarette lighter i modified, you had to push in the lighter to make it run, and yes it stayed in because i soldered the heat coil, pull it out a bit like a normal looking lighter and no juice to coil.

Course now you get burnt at the stake for even asking if a new car or truck has a real working cigarette lighter and not an aux power port.

[kingu]

Old versions of Android aside (not a whole heck of a lot of Obamaphone Tesla owners out there..), it is rather interesting how little thought is put into basic security, especially by those who supposedly are delivering cutting edge technology to consumers.

[wastedyears]

There’s no link for that when I load the page.

[Swordmaker]

Try this:

BleepingComputer.com