Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Android Security

Android Malware Used To Hack and Steal Tesla Car (bleepingcomputer.com) 118

An anonymous reader writes: By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials. This is possible because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection, allowing attackers to alter the app's source code and log user credentials. The OAuth token and Tesla owner's password allow an attacker to perform a variety of actions, such as opening the car's doors and starting the motor.
This discussion has been archived. No new comments can be posted.

Android Malware Used To Hack and Steal Tesla Car

Comments Filter:
  • When you can get a tow truck and lift the Tesla onto it.
    • by stooo ( 2202012 )

      Because a tow doesn't start the car.
      If you tow it away, typically you would like to start it afterwards.

      • by Anonymous Coward

        you dont really "start" a electrical car do you?

        • by stooo ( 2202012 )

          You "start" an electrical car.
          The switched 12V power supply that is used to ENABLE the powertrain still has the traditionnal name "IGNITION", even if the car does not have an ignition at all ( Diesel, Electric.... ) or if the ignition signal is further gated (hybrid gasoline ....)

  • by bogaboga ( 793279 ) on Friday November 25, 2016 @06:51AM (#53358921)

    ...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection...

    There is a law suit I am smelling here. Am I alone?

    • ...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection...

      There is a law suit I am smelling here. Am I alone?

      "The only hard part is tricking Tesla owners into installing an Android app on their phones..."

      "Android Malware Used to Hack...

      A lawsuit against who exactly? Android, for allowing malware onto their platform so easily, or fucking ignorant humans who don't care enough about security and install anything shoved in front of their face, infecting their phone?

      My patience for both groups grows very fucking thin, but I'm having less and less of a problem these days calling out stupid people.

      I blame Tesla software coders last here, because that's an easy fix by comparison.

      • "I blame Tesla software coders last here, because that's an easy fix by comparison."

        Sounds like what Elon said, but if it made it to court it might be decided otherwise.

        • Personally, I don't really fault the makers of the Tesla app very much. Even if they had encrypted the OAuth token and taken more security measures, once the phone is rooted by some rogue app, there's only so much you can do.

          It's similar to the problem of Filezilla storing FTP passwords in plaintext. Once you have malware on your machine, encrypting the passwords is going to do very little to protect them, since there are so many other ways to attack the system to get the passwords. There's also a simple f

        • "I blame Tesla software coders last here, because that's an easy fix by comparison."

          Sounds like what Elon said, but if it made it to court it might be decided otherwise.

          "I blame Tesla software coders last here, because that's an easy fix by comparison."

          Sounds like what Elon said, but if it made it to court it might be decided otherwise.

          Elon could legally mitigate that risk by simply ordering the software bug to be patched immediately, thus demonstrating that he actually gives a shit.

          Now, go try patching stupidity and ignorance. I'd rather haul humans into a courtroom for exhibiting that behavior in order to try and curb the devolution of mankind we're seeing today in the endless race to make everything idiotproof.

          • by fnj ( 64210 )

            For God's sake, Android is one giant security nightmare from the git go. So is iOS. So are computers in total. You can't "patch" away the reality. With great capability comes great potential for wrongdoing. The black hat is ALWAYS going to be ahead in the arms race. The black hat only has to nose around endlessly and find a single vulnerability. The good guys have to constantly plug ALL the holes that spring up. It's like trying to protect against IEDs by devising constantly stronger armor. You take what us

            • For God's sake, Android is one giant security nightmare from the git go. So is iOS. So are computers in total. You can't "patch" away the reality. With great capability comes great potential for wrongdoing...

              Then perhaps we should stop with the fucking "potential" feature race already.

              Take one of our largest problems today. 20 years ago it was essentially impossible to "hack" a cell phone in the same way you can today due to the utter lack of features. Back then, it was more about hacking the unencrypted cellular traffic itself, which sadly we have the devolution of our Constitutional rights to thank for shit like ISMI catchers to rape innocent citizens of their privacy today. As a result, you have a very s

      • While generally agree with "personal responsibility"

        "...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection..."

        In this day in age? Are you fucking kidding me?

        Yes,I think this constitutes lawsuit worthy, they're not coders they're complete incompetent hacks.

        • by fnj ( 64210 )

          Encrypt away, and obscure it against reverse engineering, then. That didn't prevent them from breaking Enigma 75 years ago. You can barely slow them down today, and they will be laughing at you for the futility of what you attempt.

  • by DiniZuli ( 621956 ) on Friday November 25, 2016 @06:52AM (#53358929) Homepage
    Here is another take on the same story: https://electrek.co/2016/11/23... [electrek.co]
    • Re: (Score:2, Interesting)

      by Anonymous Coward
      Tesla has its part of the blame. Not for the car, but for the Android app. Probably outsourced it to a webdev firm.
    • My Android developer take on this same story:

      It is Tesla's fault. Why?

      They decide which target sdk and which min sdk version they support (compile sdk doesn't really matter for liability purposes). They should be aware of the consequences of supporting older versions. If they use a feature that is vulnerable in one of the versions they support, it's CLEARLY their fault ;-)

      This reminds me of a question [stackoverflow.com] I once answered - someone wanted to store passwords on Android's SharedPreferences for "remember password"

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Friday November 25, 2016 @06:53AM (#53358939)
    Comment removed based on user account deletion
    • You don't even need an OS and the battery life is better. Just club someone with a sock full of batteries (don't even need to be LiPos). You don't even need to charge the batteries.

    • by AmiMoJo ( 196126 )

      The difference is that the victim will have a much harder time convincing their insurance company and the cops that they weren't negligent and aren't running a scam.

      There was a spate of thefts of BMWs and other expensive cars a few years ago. No alarms, no broken glass, cars driven away despite having immobilisers, victims accused of losing the keys etc. Turned out that you could prevent the car from locking properly, then once inside use the OBD-II diagnostic port to clone the keys and drive it away.

    • I can steal one by hitting people with a Nokia phone and it isn't limited to one brand of cars.

      That's a different level of crime though.

      It's like saying that PIN numbers on bank cards are useless because someone could always kidnap and torture the information out of you.

  • I miss the days where a company would be considered a bad company if they blamed customers for problems that happened with something they created and sold as a feature.
    • I miss the days when people actually took responsibility for doing stupid things.

      Would you blame Ford if someone left the keys in their car when running into a convenience store and came back out to see their car gone? Because that's what you are doing here.

      Fuck off, troll.

      • Apple makes much profit, I am constantly reminded because people don't understand technology. Elon was so concerned that people wouldn't understand Autopilot that he had to put a page in the manual. Can Tesla confirm that people are properly educated on this? This isn't a stupid people doing stupid things. It may seem stupid to you and I because if we are here we understand technology. It is obvious that a lot of people don't. They need help in the Apple Store setting up a MacBook for crying out loud.
        • The user downloaded a sketchy compromised trojan horse app. This is remarkably easy not to do - millions upon millions of people manage to not do that every day.

          Stop acting like you need some level of knowledge to not have your shit exploited - millions manage this feat every single day. They don't download sketchy apps from sketchy sources, or they actually pay attention to the parade of warnings that Android gives when you install an app, and that app is asking for permissions.

          You're suggesting that peo

    • I don't know, this does sound a little bit like blaming Ford because your car was stolen when you handed the keys to some guy wearing a red coat and hat outside a posh restaurant. Is it really a security flaw with your car if the restaurant doesn't actually have valet parking?

      And from the other article someone posted above, this apparently requires that you have the Tesla app on an out-of-date Android phone, the flaw used in the demonstration to steal the OAUTH data has already been patched...

      • As a Tesla owner, I didn't put the app on Android. Therefore it is more like Tesla handing your keys to some guy wearing a red coat and hat outside a posh restaurant. Or at the very least, it is like handing the valet the key that isn't supposed to open the trunk but yet finding something from the trunk missing because there was a flaw with the key that allowed the valet to open the trunk after all.
    • I don't see where Tesla blamed the customers for this. I don't see where Tesla said anything in TFA, actually. This is also a proof of concept attack, not a real-world one. Tesla also has a (serious) bug bounty program, which is more than can be said of many other car manufacturers. Hell, Tesla even brought one of its cars to Defcon in 2015 and had it on the main floor, inviting people to try and hack it as advertisement for said program.

      If there's one thing I can guarantee, it's that there will be vulner
  • by Anonymous Coward

    Bit of a biased article calling it specifically "Android malware", when the same malware exploiting the same security issue on Tesla's part (oauth as plaintext) on iOS would work the same way.

  • by nitehawk214 ( 222219 ) on Friday November 25, 2016 @09:45AM (#53359605)

    To use this one would have to specifically target the android phone of a specific Tesla owner.

    If someone wants to steal a specifically single person's car there are vastly easier ways to do it. Such as, hold a gun to the person's head and demand they turn over the key.

    None of this was done in the wild, making the title needlessly click baity.

  • If I use a Samsung Galaxy Notes 7 to steal a Tesla, what happens ?!?
    • If I use a Samsung Galaxy Notes 7 to steal a Tesla, what happens ?!?

      Use a Note 7 to steal a Tesla and crash it into the back of a Ford Pinto hatchback.

      That should make a nice explosion visible from orbit.

  • Trying to prevent reverse engineering is pointless, all you can do is make things more difficult and in doing so, making your code more complicated and harder to debug or potentially unreliable.
    The fact is if you access something from a compromised device then you run the risk of whatever you're accessing being compromised too.

  • You mean I have to switch to an Android to steal Teslas? I'm sorry, but that's a deal breaker.
  • and you're simply doing what you were told

  • So let me see if I understand correctly, if you download and install malware on your Android device, you'll get hacked, just where is the technology angle?
  • Teslas are 13x less likely to be stolen than an average car according to Teslas are hard to steal [businessinsider.com].

    The reasons are multifold. Starting the car and driving it off is the easy part. The few Teslas stolen to date have been largely due to what might be considered extreme negligence on the owners part - like leaving the doors open and the fob inside.

    But is that negligence? The car is totally connected and obscenely trackable. Getting away with stealing a Tesla would mean disconnecting it forever and thus losing a lot of its value. For example, you could never get a free recharge. I wonder how many of those few cars stolen have been recovered. I'd bet the number is high.

    So, you steal it for parts? Wrong! There is virtually no used parts market. Tesla owners tend to buy their parts new.

    It seems that the best you could hope for is likely a very quick joyride.

    My question is "why this article now"? It is very sensationalist. I'm not questioning the efforts of those who found and reported the attack route. But why widely disseminate it to the general public without noting that Teslas are amongst the least likely to be stolen cars in the world. Is this an attack piece?

  • Security 101
    1. If you can do something remotely, so can someone else.

  • I see many people blaming Tesla, but in my opinion, assuming the OS can keep a cookie secret is not a security mistake. The flaw is in the OS here.
  • Is it called Edison?

If money can't buy happiness, I guess you'll just have to rent it.

Working...