Tesla Car Can Be Stolen by Infecting Its Owner’s Smartphone With Malware

Tesla Car Can Be Stolen by Infecting Its Owner’s Smartphone With Malware

Car hacks are not a new trend among IS experts. For example, in September 2016, researchers at Tencent Keen Security Lab demonstrated a remote hack of the Tesla Model S P85 and Model 75D. But usually to implement such attacks, researchers compromise the onboard software of the car itself, but specialists from the Norwegian company Promon decided to approach the issue from a different angle and attack the Android app.

By default, when installing the official Tesla app, the car owner must enter a username and password, for which the app will generate an OAuth token. Subsequently, when the user accesses the app again, it uses that token, so no re-entering of credentials is required. The OAuth token is not stored forever; the app deletes it after 90 days and asks for the username and password again.


Promon researchers found that the Tesla app stores the OAuth token in plain text format, in a sandbox directory. And the attacker is able to read the token if only he can gain access to the victim’s smartphone.


Experts write that these days it’s not difficult to create a malicious Android app that contains root exploits, such as Towelroot or Kingroot. Exploits help to elevate an app’s privileges on the system and then read or spoof data from other apps.


However, simply knowing the token is not enough. Once an intruder has the token, he can do things to the machine, but he won’t be able to start it – he needs the owner’s password to do so. Researchers have come up with a way to deal with that as well. If the malicious app removes the OAuth token from the victim’s device, she will have to re-enter the username and password, which means the attacker will have an excellent opportunity to intercept the credentials. The researchers concluded that the attacker could easily make changes to the Tesla app code. If an intruder already has root access to the device thanks to a malware, it would not be difficult to set up forwarding a copy of the car owner’s credentials to his server.


Having the token and credentials from the official Tesla app, the attacker can send properly crafted HTTP requests to the Tesla servers, using the token and, if necessary, the victim’s username and password. As a result an attacker would be able to start the engine without a key, open doors, track the car and so on. In theory, the possibilities are much more, but the researchers have not tested their entire range in practice.


The video below shows the researchers’ idea in action and offers one possible attack scenario: convince a victim to install a malicious app on their smartphone by promising them a free dinner at a local restaurant. Banal social engineering still works great.

Promon specialists recommend that Tesla engineers use two-factor authentication in their apps, and not storing OAuth tokens as plain text. In addition, to protect against password hijacking, the researchers recommend using a custom keyboard layout.

About the Author

Christopher Walker

Hi, I'm Christopher. My couch hobby is watching new technology. But the wine of my addiction is technology related to electric cars. I especially love the Tesla. Read all the interesting stuff on this site.

You may also like these