Two German researchers demonstrated how a Tesla Model X can be hacked from the air using a drone. The researchers claim that the hack works on other Tesla models and possibly on other makes of cars as well. Tesla has since released a patch for the hack, but the hack shows the vulnerability of connected car systems.
Tesla Offers Prize for Findings
Each year the Pwn2Own competition is held during which contestants hack into devices with previously unknown vulnerabilities. The contestants receive the device as a prize if they manage to achieve a Tier 1 hack. In 2019 an Automotive category was added, where contestants receive cars they hack as prizes. Since the category’s inception, Tesla has offered cash and a car for hacking their models at Pwn2Own.
Two German security researchers Ralf-Philipp Weinmann, CEO of Kunnamon, and Benedikt Schmotzle, of Comsecuris GmbH, had hoped to present their Tesla hack at this year’s Pwn2Own. However, the competition was cancelled due to the Coronavirus pandemic. Consequently, the two researchers decided to release their findings at the CanSecWest security researchers conference instead. They also released a whitepaper describing their findings.
Before demonstrating the hack to the public at CanSecWest, the researchers reported the vulnerability to Tesla through their bug bounty program. They then waited for Tesla to release a patch for the cybersecurity vulnerability they had discovered before demonstrating it. According to Weinnman, he and Schmotzle received $31,500 from Tesla for their hack demonstration on the Tesla Model X.
The Drone TBone Attack
The researchers dubbed their hack TBone, which involves the exploitation of two vulnerabilities in ConnMan. This is an internet connection manager used in Tesla’s Infotainment system, which one can connect to using a Wi-Fi network. In their demonstration of the ConnMan vulnerabilities, they opened a Tesla Model X’s doors using a drone and a Wi-Fi dongle.
The researchers only opened a Tesla’s doors. However, hackers could exploit the vulnerabilities to take full control of a parked car’s Infotainment system. This would allow hackers to remotely do, what a driver could do on the system from within the car. No user interaction is required for the hack and it can be accomplished by a drone from 100 meters away.
Attackers could unlock a Tesla’s doors and trunk. They could change seat positions, play music, control the air conditioning, and modify steering and acceleration modes. Essentially, they could do anything short of starting the car. The researchers explained that the attack “does not yield drive control of the car”. They also claimed that the exploit doesn’t only work against the Tesla X model. It also works against Tesla S, 3 and Y models.
Exploit Can Easily be Weaponized
Weinmann explained that the exploit they had demonstrated with the Tesla Model X could easily be weaponized. However, he and Schmotzle had decided not to do so. “Looking at the fact TBONE required no user interaction, and ease of delivery of the payload to parked cars, we felt this attack was ‘wormable’ and could have been weaponized. Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity,” Weinmann said.
In addition, the researchers note that this vulnerability could exist in other car makes that use the same ConnMan component. Weinmann maintained that around half of the car manufacturing industry uses the same ConnMan component. Therefore, a large number of cars driving on the roads today could be open to a TBone attack.
The two researchers attempted to warn the car manufacturing industry by first going to Intel, the developers of ConnMan. However, Intel felt it wasn’t their responsibility. They then turned to Germany’s national CERT, who organizes fixes for ConnMan issues. Nonetheless, it isn’t clear whether all car manufacturers have headed the warning and patched the code, as Tesla has done.
Issues with Tesla Cars
This is not the first vulnerability found in Tesla cars. Late last year Belgian security analysts showcased several security flaws in Tesla Model X. The flaws were in Tesla’s key fob software, which allowed the analysts to steal a Tesla in two minutes by targeting issues with Bluetooth.
Then a few months ago, Tesla’s use of cabin cameras came under scrutiny when the US’s Consumer Reports magazine stated Tesla’s cameras could pose privacy concerns. Tesla’s cabin cameras use facial features to increase vehicle safety, whereas other car manufacturers use infrared technology. Consequently, they don’t pose the same privacy risks as Tesla’s system.