Your Tesla car can be hacked by Android Malware
【Summary】Researchers from Norwegian security company Promon recently hacked into a Tesla car by rooting some malware into a driver’s Tesla Android app. By obtaining the person’s Tesla app login username and password, hackers could almost fully control the car and even drive it away.
Suppose your new Tesla car was somehow remotely controlled by hackers hiding miles away -- they could start your car's engine, open its doors, or even monitor its driving path on road. That is something to worry about for sure.
Researchers from the Norwegian security company Promon recently hacked into a Tesla car by rooting some malware into a driver's Tesla Android app. By obtaining the person's Tesla app login username and password, hackers could almost fully control the car and even drive it away.
"The security of the internet connected services that we have in our daily lives heavily depends on the app we use to access, monitor and control the devices." Lars Lunde Biirkeland, Marketing Director of Promon said in the videotaped hack test trial.
The researcher created a free wifi hot-spot that's been put on an advertisement at a Tesla charging station. When someone logs into the free wifi, it will pop up an advertisement that says you could get a free burger by installing a restaurant app. When the driver installs the app it roots the malware into the driver's Tesla android app and steals his username and password data. Then the hacker can enable Tesla's keyless driving functionality, and operate a series of actions on the car.
"The methods we use for this are really simple, and have been known for years..and it's also been used by cybercriminals for a long time." Benjamin Adolphi, Software Developer Mobile at Promon, when acting as the hacker, explained that the whole process was just a simple trick.
Why is it so easy for hackers to disrupt a Tesla car? The problem lies in the vulnerability of the Tesla Android app. The app will generate an OAuth token when the driver enters his username and password information to login. The token will be kept for 90 days and then expire -- a convenient way for customers to not type in the information every time when using it.
However, researchers found out that the token is saved in a plaintext file under the app's "sandbox" folder. An attacker could simply read the token if he has access to the Tesla driver's phone. Moreover, there can be multiple ways of modifying the app's source code to steal the login data, besides the fake wifi hot-spot trick mentioned above.
When holding the login information, the hacker could use a laptop to send well-crafted HTTP requests to the Tesla servers with the victim's OAuth token and password when necessary, to do manipulations such as unlock the car and start its engine.
Tesla is certainly to blame for not safely protecting the OAuth token. However, mobile carriers also have responsibility for protecting customers' private information from being stolen. Last year, Google provided timely security updates from the Android OS, which many carriers failed to deliver to their customers.
Promon experts suggest that Tesla's app be equipped with two-factor authentication. To begin, they should avoid saving the OAuth token in a simple cleartext as it will become an easy target for hackers. Meanwhile, the app should prevent easy access to its source code. And it should use a custom keyboard layout when drivers enter passwords so that mobile keyloggers won't be possible.
Claire Peng has over 6 years of professional experience in the media industry, covering TV, newspaper and online media. She was once a reporter and producer for Fairchild Television based in Toronto Canada, and worked as an English news reporter for the Global Times in Beijing. She writes mainly about self-driving, companies investment, and the enterprise lab.
NYU Releases the Largest LiDAR Dataset to Help Urban Development
July 13th, 2017 News of the Day: Uber merges with Yandex, U.S. to simplify driverless car rules
Hyperloop One Completes Its First Successful Test Run
July 12th, 2017 News of the Day: Faraday to move its factory, Vizio files lawsuit against LeEco
July 11th, 2017 News of the Day: Tesla to triple its service, Porsche posts half-year sales record
Faraday Future Halts Construction of $1 billion Factory in Nevada
July 10th, 2017 News of the Day: China to become Cadillac’s largest market, Oregon adds EV rebate
July 7th, 2017 News of the Day: VW partners with Kuka, Tesla to build battery factory in Australia
- Tesla is Once Again Raising Prices in China as the Sino-U.S. Trade War Drags On
- Porsche Officially Debuts its Electric Taycan, its Competitor to the Tesla Model S
- AAA Study Finds Pedestrian Detection Systems Perform Inconsistently
- GM Takes Heat for Backing the Trump’s Administration Plan to Revoke California’s Ability to Set its Own Emission Standards
- ID.4 to be Volkswagen’s New U.S.-bound EV Crossover
- Uber Sells $1.2 Billion in Junk Bonds to Help Fund its Acquisition of Dubai-based Careem
- U.S. Moving to Block California Vehicle Emissions Rules
- Waymo is Offering Robotaxi Pickups in Arizona with No Safety Driver Behind the Wheel
- Founder of EV Startup Faraday Future Files for Bankruptcy Protection
- Tesla Will Unveil its new Electric ‘Cybertruck’ on Nov 21