Tesla cars can be tracked, located, unlocked and driven away by compromising the company’s smartphone app. Researchers at Norwegian app security firm Promon demonstrated how easy it appears to be to steal a Tesla. Benjamin Adolphi, mobile software developer at Promon, created a fake free Wi-Fi hotspot that featured an ad targeted at Tesla owners, offering them a free burger at a local restaurant. Owners were then prompted to download an application in order to take advantage of the offer; however, the app contained malware that “manipulated” the Tesla app to grab the owner’s username and password. An OAuth token is used to authenticate the username and password every time the user starts the app. The Tesla app is modified where code was added to steal the username and password and sent to an attacker-controlled server. In order to trigger this code, the user needs to log in again. The Tesla app can be tricked into requiring the user to log in by simply removing the stored token. In the statement to Inforsecurity, Tesla said that the issue uncovered by Promon is to do with underlying mobile application security, rather than their application.
It is great that I can control my car with my phone, but if it has the risk of someone can easily steal my car. I would rather not use the application. I think Tesla should definitely improve the security of the application instead of blaming all mobile application security problem.
Link: http://www.infosecurity-magazine.com/news/smartphone-flaw-tesla-vehicles/
Jason A Lindsley says
I agree that Tesla should continue to improve their application security, but I believe that the weakest link in this scenario (and most) is the user. It is difficult for app developers to develop apps that are secure enough to protect a completely compromised device.
Vaibhav Shukla says
Its perfect example of week application security.I still have doubt when the app is stealing the Oauth token by taking away username and password which means that the values were not encrypted when they are being sent and it was like a man in middle attack
Arkadiy Kantor says
I have heard of another vulnerability with people being able to steal a Tesla simply by resetting the owners Tesla account and creating a new password. While getting a car stolen is not fun I hope tesla does a good job at maintaining security for a car that is in motion, since any “hack” of a moving car with passengers in it can become deadly!
Mauchel Barthelemy says
These type of innovations are good for convenience, but obviously not security-ready. This represents one of the reasons many consumers are reluctant to start using them. Tesla, Google and Apple need to work together for the common good of consumers’ safety and security.
Mengxue Ni says
I agree with all of your ideas, although Tesla cannot fully protect their user from a compromise device, they still need to take some actions to secure the application. If they have done everything they can to protect customers, no one will blame them when hacking happens.