Android Malware Used To Hack and Steal Tesla Car (bleepingcomputer.com) 118
An anonymous reader writes: By leveraging security flaws in the Tesla Android app, an attacker can steal Tesla cars. The only hard part is tricking Tesla owners into installing an Android app on their phones, which isn't that difficult according to a demo video from Norwegian firm Promon. This malicious app can use many of the freely available Android rooting exploits to take over the user's phone, steal the OAuth token from the Tesla app and the user's login credentials. This is possible because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection, allowing attackers to alter the app's source code and log user credentials. The OAuth token and Tesla owner's password allow an attacker to perform a variety of actions, such as opening the car's doors and starting the motor.
Why bother with hacking? (Score:1)
Re: (Score:3)
Because a tow doesn't start the car.
If you tow it away, typically you would like to start it afterwards.
Re: (Score:1)
you dont really "start" a electrical car do you?
Re: (Score:2)
You "start" an electrical car. ....)
The switched 12V power supply that is used to ENABLE the powertrain still has the traditionnal name "IGNITION", even if the car does not have an ignition at all ( Diesel, Electric.... ) or if the ignition signal is further gated (hybrid gasoline
Re: So don't use apps (Score:5, Interesting)
The thing that worries me is that pretty soon, you won't be able to buy any car that doesn't include a whole bunch of electronic remote communications, whether you want it or not, and regardless of whether you consider it a security and/or privacy risk.
Here in the UK insurers routinely demand that a recognised tracker device be installed in faster/higher-end vehicles as an anti-theft measure before they will provide cover. Moreover, I don't know myself where the tracker is installed in my own vehicle, because no-one except the person who actually did the installation does; apparently the people who do it won't even tell the dealers or allow anyone else in the room while they're working. I have some reservations about that already given the obvious privacy implications and the legal requirement to have insurance to use the car. But at least that is a separate system, operated by a private company whose contract is with me and whose reputation would be on the line if it came out they were activating the tracking for any reason other than my calling them and asking them to.
With modern cars that come with the likes of OnStar as standard, or with the new European eCall system that will be mandatory for all new cars sold in Europe within the next couple of years, you're talking about an electronic system that is intimately connected into the operational systems on the car and has remote communications capabilities. Given the notorious lack of security within a typical car's software environment, these systems seem potentially very dangerous to me, despite being well-intentioned and presumably being beneficial if you really are in a serious accident.
Re: So don't use apps (Score:2)
It will be behind the glove box, they always are to tap Into car data
Re: (Score:3)
Re: So don't use apps (Score:4, Interesting)
I live in eastern Europe and we're way ahead of you guys on this one. When you want to get insurance for a reasonably new car the insurance guys disassemble and rewire your OBD2 ports in a pseudo-random manner. Then they wire you a OBD2 F2F adapter whose input is your scrambled OBD2 and the output is the standard working one. In short, your car's OBD2 doesn't work without the adapter, so as long as you don't leave your adapter in the car your port is unusable without rewiring it back to a working condition.
Now granted this is a bit of security through obscurity, but it means a thief can't easily plug a laptop in your CAN to hotwire your car. Sure, if the thief has the time to disassemble your OBD2 port and can rewire it back they can steal your car eventually. However, this turns a 30-second job into a 5-10 minute job that requires extra tools and know-how and for a lot of car thefts that's good enough as prevention.
What I'm saying is, there's no car on the market that won't run without fancy remote/multimedia functionality. I can bet that even if the automakers want to make a car like that it will have a hell of a time getting certified.
TL:DR; The extra functions can easily be scrambled or unplugged internally in a way that disables them completely.
Re: So don't use apps (Score:2)
It depends on the app, I suppose. Some car manufacturers actually thought through this - BMW ConnectedDrive will allow you to lock the doors from your phone without hassle, but the unlock feature requires a phone call where a friendly agent verifies your identity. The function isn't even in the application - it's just a button that dials their 1-800 number.
Re: (Score:2)
Right, the locked out a function from the users but not from the hackers: They were able to reverse engineer some of the software that we use for our telematics," said Dave Buchko , a BMW spokesman. "With that they were able to mimic the BMW server.â [pcworld.com]
BMW didn't even think to use https to access their cars lock and unlock during design. A quick search shows lots of issues with the BMW connected drive security.
Re: (Score:2)
I'm not saying that there can't be vulnerabilities elsewhere in the chain, but at least they thought about having that function available on OS platforms and hardware that they have absolutely no control over, and have no remedy to fix exploits of when it's loaded onto thousands of phones with dozens of combinations of hardware / software. And, BMW does not offer remote start capabilities - the most you could do is unlock the doors. You would still need to deal with any ignition immobilizer in place once
Re: (Score:2)
Re: So don't use apps (Score:2)
Yeah, how dare Tesla not fix Android's flaws and horrible cross-application security model. What a bunch of scammers!
Re: (Score:2)
Re: (Score:3)
So your thinking is that Tesla should up the price of all their cars by ~$1000 and include an iPhone with every car?
Just abandon Android as insecure?
Re: (Score:2)
Re: (Score:2)
"That" being what?
Re: (Score:2)
Re: (Score:2)
So you think that it's Tesla's fault that Android, the widest deployed smartphone OS is a POS security wise. Ohkaaayyy...
Re: (Score:2)
Tesla can't control Android, but they can decide whether they put their app on Android or not. If Tesla is comfortable putting their name behind an Android app that can start cars, then obviously they don't think Android is the POS that you think it is. They wrote the app, they can accept the risk for it. Or, they could only publish on iPhone only and say, "We're sorry we did not feel Android was secure enough for
Re: (Score:2)
If you don't want people putting words into your mouth you're going to have to start explaining how you a coherent position.
So now you're claiming that Tesla should prevent people from installing insecure applications on their Android smartphones? The Tesla app isn't insecure, The token it uses to communicate with cars can just be stolen by other bad intentioned apps, something that could happen just as well on iOS.
Tesla should pull it's Android app just because some people can't stop themselves from instal
Re: (Score:2)
Re: (Score:2)
So you're one of those blame the victim guys. I'm mostly an iPhone guy but have had pro Androids since Blackberry died. I'm not a potential Tesla owner as they have 2 wheels too many & I don't see my company buying Tesla's before I retire in a decade or two for my company car.
That Android has a security problem is no revelation to me as it is one of the reasons I chose iPhones yet even with all that said, Tesla isn't to blame here.
If you want to push Google to improve Android's Security, stop blaming th
Re: (Score:2)
Re: (Score:2)
I smell a law suit here (Score:3)
There is a law suit I am smelling here. Am I alone?
Re: (Score:2)
There is a law suit I am smelling here. Am I alone?
"The only hard part is tricking Tesla owners into installing an Android app on their phones..."
"Android Malware Used to Hack...
A lawsuit against who exactly? Android, for allowing malware onto their platform so easily, or fucking ignorant humans who don't care enough about security and install anything shoved in front of their face, infecting their phone?
My patience for both groups grows very fucking thin, but I'm having less and less of a problem these days calling out stupid people.
I blame Tesla software coders last here, because that's an easy fix by comparison.
Re: (Score:2)
"I blame Tesla software coders last here, because that's an easy fix by comparison."
Sounds like what Elon said, but if it made it to court it might be decided otherwise.
Re: (Score:2)
Personally, I don't really fault the makers of the Tesla app very much. Even if they had encrypted the OAuth token and taken more security measures, once the phone is rooted by some rogue app, there's only so much you can do.
It's similar to the problem of Filezilla storing FTP passwords in plaintext. Once you have malware on your machine, encrypting the passwords is going to do very little to protect them, since there are so many other ways to attack the system to get the passwords. There's also a simple f
Re: (Score:2)
"I blame Tesla software coders last here, because that's an easy fix by comparison."
Sounds like what Elon said, but if it made it to court it might be decided otherwise.
"I blame Tesla software coders last here, because that's an easy fix by comparison."
Sounds like what Elon said, but if it made it to court it might be decided otherwise.
Elon could legally mitigate that risk by simply ordering the software bug to be patched immediately, thus demonstrating that he actually gives a shit.
Now, go try patching stupidity and ignorance. I'd rather haul humans into a courtroom for exhibiting that behavior in order to try and curb the devolution of mankind we're seeing today in the endless race to make everything idiotproof.
Re: (Score:3)
For God's sake, Android is one giant security nightmare from the git go. So is iOS. So are computers in total. You can't "patch" away the reality. With great capability comes great potential for wrongdoing. The black hat is ALWAYS going to be ahead in the arms race. The black hat only has to nose around endlessly and find a single vulnerability. The good guys have to constantly plug ALL the holes that spring up. It's like trying to protect against IEDs by devising constantly stronger armor. You take what us
Re: (Score:2)
For God's sake, Android is one giant security nightmare from the git go. So is iOS. So are computers in total. You can't "patch" away the reality. With great capability comes great potential for wrongdoing...
Then perhaps we should stop with the fucking "potential" feature race already.
Take one of our largest problems today. 20 years ago it was essentially impossible to "hack" a cell phone in the same way you can today due to the utter lack of features. Back then, it was more about hacking the unencrypted cellular traffic itself, which sadly we have the devolution of our Constitutional rights to thank for shit like ISMI catchers to rape innocent citizens of their privacy today. As a result, you have a very s
Re: (Score:2)
While generally agree with "personal responsibility"
"...because the Tesla Android app stores the OAuth token in cleartext, and contains no reverse-engineering protection..."
In this day in age? Are you fucking kidding me?
Yes,I think this constitutes lawsuit worthy, they're not coders they're complete incompetent hacks.
Re: (Score:2)
Encrypt away, and obscure it against reverse engineering, then. That didn't prevent them from breaking Enigma 75 years ago. You can barely slow them down today, and they will be laughing at you for the futility of what you attempt.
Android security flaw and not Tesla security flaw? (Score:5, Informative)
Re: (Score:2, Interesting)
Re: (Score:3)
My Android developer take on this same story:
It is Tesla's fault. Why?
They decide which target sdk and which min sdk version they support (compile sdk doesn't really matter for liability purposes). They should be aware of the consequences of supporting older versions. If they use a feature that is vulnerable in one of the versions they support, it's CLEARLY their fault ;-)
This reminds me of a question [stackoverflow.com] I once answered - someone wanted to store passwords on Android's SharedPreferences for "remember password"
Comment removed (Score:5, Insightful)
Sock full of batteries (Score:3)
You don't even need an OS and the battery life is better. Just club someone with a sock full of batteries (don't even need to be LiPos). You don't even need to charge the batteries.
Re: (Score:2)
>> you can start the neighbor's autonomous car
Nobody has neighbours with autonomous cars.
Re: (Score:2)
The difference is that the victim will have a much harder time convincing their insurance company and the cops that they weren't negligent and aren't running a scam.
There was a spate of thefts of BMWs and other expensive cars a few years ago. No alarms, no broken glass, cars driven away despite having immobilisers, victims accused of losing the keys etc. Turned out that you could prevent the car from locking properly, then once inside use the OBD-II diagnostic port to clone the keys and drive it away.
Re: (Score:2)
I can steal one by hitting people with a Nokia phone and it isn't limited to one brand of cars.
That's a different level of crime though.
It's like saying that PIN numbers on bank cards are useless because someone could always kidnap and torture the information out of you.
Re: (Score:2)
Yes, I also don't get this one, it's moot.
Re: (Score:2)
It would make for a funny zero-day situation, where someone simultaneously steals every net-connected Tesla in the US, orders them to drive to a friend's house, and then shuts down all external communication with the vehicles ;) Every last road for dozens of kilometers would be clogged up as the route finding system tries to find ways to get there that aren't already jammed up.
Just a random unrelated thought: 10-20 years from now, autopilot and the like are going to be beloved by insurgent groups. One of
Re: (Score:3)
I appreciate your smiley, this is actually a serious security issue. The trouble is, it's not even an insurgent on the far side of the world driving a remote controlled weapon that is the biggest concern. It's an insurgent on the far side of the world turning your own car into a remote controlled weapon while you and your family are driving home in it from a shopping trip, along with many other cars at the same time.
I disapprove of fear-mongering over terrorism as much as the next guy, but objectively, the
Re: (Score:2)
Indeed. The NHTSA would never approve of a situation where commands transmitted by smartphone or other data link override commands physically given from hardware inside the vehicle.
Re: (Score:2)
Of course they will. In fact, eventually they'll mandate it. They'll want the police to be able to stop your car remotely. Of course eventually someone other than the police will use the same method, but "think of the children" or "terrorists!" will cause them to implement it anyway.
Re: (Score:2)
I'm sorry to be the bearer of bad news, but vehicles with such vulnerabilities have already been compromised on public roads in at least one controversial demonstration [wired.com]. This is not a hypothetical threat. Vehicles vulnerable to this sort of attack are on the roads today, yet so far governments their regulators either don't understand the dangers or don't seem to be willing to act on them.
Customer service (Score:2)
Re: Customer service (Score:2, Informative)
I miss the days when people actually took responsibility for doing stupid things.
Would you blame Ford if someone left the keys in their car when running into a convenience store and came back out to see their car gone? Because that's what you are doing here.
Fuck off, troll.
Re: (Score:2)
Re: (Score:2)
The user downloaded a sketchy compromised trojan horse app. This is remarkably easy not to do - millions upon millions of people manage to not do that every day.
Stop acting like you need some level of knowledge to not have your shit exploited - millions manage this feat every single day. They don't download sketchy apps from sketchy sources, or they actually pay attention to the parade of warnings that Android gives when you install an app, and that app is asking for permissions.
You're suggesting that peo
Re: (Score:3)
I don't know, this does sound a little bit like blaming Ford because your car was stolen when you handed the keys to some guy wearing a red coat and hat outside a posh restaurant. Is it really a security flaw with your car if the restaurant doesn't actually have valet parking?
And from the other article someone posted above, this apparently requires that you have the Tesla app on an out-of-date Android phone, the flaw used in the demonstration to steal the OAUTH data has already been patched...
Re: (Score:2)
Re: (Score:2)
If there's one thing I can guarantee, it's that there will be vulner
Why call it "Android Malware" (Score:1)
Bit of a biased article calling it specifically "Android malware", when the same malware exploiting the same security issue on Tesla's part (oauth as plaintext) on iOS would work the same way.
Specific targeting (Score:3)
To use this one would have to specifically target the android phone of a specific Tesla owner.
If someone wants to steal a specifically single person's car there are vastly easier ways to do it. Such as, hold a gun to the person's head and demand they turn over the key.
None of this was done in the wild, making the title needlessly click baity.
Now the question is: (Score:1)
Re: (Score:2)
If I use a Samsung Galaxy Notes 7 to steal a Tesla, what happens ?!?
Use a Note 7 to steal a Tesla and crash it into the back of a Ford Pinto hatchback.
That should make a nice explosion visible from orbit.
Wrong target (Score:2)
Trying to prevent reverse engineering is pointless, all you can do is make things more difficult and in doing so, making your code more complicated and harder to debug or potentially unreliable.
The fact is if you access something from a compromised device then you run the risk of whatever you're accessing being compromised too.
Switch to Android? (Score:1)
It's because Tesla (the name) spells STEAL (Score:1)
and you're simply doing what you were told
insert Android FUD .,. (Score:2)
13x less likely to be stolen than avg car because (Score:3)
Teslas are 13x less likely to be stolen than an average car according to Teslas are hard to steal [businessinsider.com].
The reasons are multifold. Starting the car and driving it off is the easy part. The few Teslas stolen to date have been largely due to what might be considered extreme negligence on the owners part - like leaving the doors open and the fob inside.
But is that negligence? The car is totally connected and obscenely trackable. Getting away with stealing a Tesla would mean disconnecting it forever and thus losing a lot of its value. For example, you could never get a free recharge. I wonder how many of those few cars stolen have been recovered. I'd bet the number is high.
So, you steal it for parts? Wrong! There is virtually no used parts market. Tesla owners tend to buy their parts new.
It seems that the best you could hope for is likely a very quick joyride.
My question is "why this article now"? It is very sensationalist. I'm not questioning the efforts of those who found and reported the attack route. But why widely disseminate it to the general public without noting that Teslas are amongst the least likely to be stolen cars in the world. Is this an attack piece?
Security 101 (Score:2)
Security 101
1. If you can do something remotely, so can someone else.
Blame Tesla (Score:2)
Name of app (Score:1)
Re:Tesla Android (Score:4, Interesting)
This has nothing to do with the subject.
If you give the right to your phone to start your car, don't expect your phone not to be hacked, watever the phone O.S.
Also in general, don't expect your phone not to be hacked.
Re: Tesla Android (Score:5, Informative)
"Since Android was launched over seven years ago, all Android devices have
shared a common security model that provides every application with a secure,
isolated environment known as an application sandbox. Android was one of
the first operating systems to introduce the idea of sandboxing to both protect
applications from attacks and protect the device from applications. Sandboxing
is used for all applications on the device, including system-level applications. "
https://static.googleuserconte... [googleusercontent.com]
Re: (Score:2)
iOS has had its share of remote exploitable root access vulnerabilities over the years, sandboxing (which Android does too) can't stop you once you have root.
Re: Tesla Android (Score:4, Insightful)
actually,...
Do expect Android to be hacked and all your info leaked to cave monkeys handling Google's development in some smelly jungle.
Google getting all your data via Android is neither a hack nor a leak.
It's a feature.
BREAKING NEWS! (Score:1)
Everything is hackable. Film at 11.
Re: (Score:2)
The difference is in some cases it is pre-hacked by adding backdoors. And that's especially bad !
Re: (Score:1)
The difference is in some cases it is pre-hacked by adding backdoors. And that's especially bad !
Adding backdoors? Don't be silly -- Teslas already have back doors. That's how your kids get in the car.