A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.

Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

Tom Lysemose Hansen, founder and CTO at Promon, said: "Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car."

One way for the hack to work is for cybercriminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal or coffee. When clicking this link and downloading the accompanying app, hackers can gain access to the user's mobile device, allowing them to attack the Tesla app and obtain usernames and passwords.

Youtube Video

In an update, Promon outlines the many and varied security shortcomings of Tesla's app.

This attack is not Tesla specific, and can in generalised form be used against any app. However, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.

One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been made to encrypt it, or otherwise protect it. Getting access to this one piece of data alone will get you the location of the car, ability to track the car and being able to unlock the car.

Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behaviour that would send the credentials out of the app to a server.

"If Tesla had followed best practice in security (e.g. as recommended by the Open Web Application Security Project), including applying self-protecting capabilities inside the app, it would have required much higher technical skills – and much more effort – to perform such an attack," according to Promon. The Norwegian app security firm said that it was in "close dialogue with Tesla" in order to address these app security issues.

El Reg asked Tesla to comment on the research on Thursday, a US national holiday. We're yet to hear back but we'll update this story as and when we hear more.

John Smith, principal solutions architect at app security firm Veracode, commented: "With Tesla just recently remediating a vulnerability which allowed the car to be exploited remotely, this new security flaw leaves the car vulnerable to theft and highlights the plethora of challenges that car manufacturers now face as they introduce internet-connected services into the car. Vulnerable software is one of the most significant challenges faced by the automotive industry, with findings from a recent IDC report indicating that there could be a lag of up to three years before car security systems are protected from hackers.

"There are over 200 million lines of code in today's connected car, not to mention smartphone apps linked to the car. So it is essential that car manufacturers put security at the heart of the development strategy, rather than as an afterthought." ®

Sponsored: Transforming software delivery with DevOps

The Register - Security

The Obama Administration has issued a new Federal Automated Vehicles Policy to help facilitate the responsible introduction of self-driving cars.

self-driving cars

The policy sets a proactive approach to providing safety assurance and facilitating innovation through four key parts.

Vehicle performance guidance uses a 15-point Safety Assessment to set clear expectations for manufacturers developing and deploying automated vehicle technologies.

Model state policy delineates the Federal and State roles for the regulation of highly automated vehicle technologies as part of an effort to build a consistent national framework of laws to govern self-driving vehicles.

Finally, the policy outlines options for the further use of current federal authorities to expedite the safe introduction of highly automated vehicles into the marketplace, as well as discusses new regulatory tools and statutory authorities the federal government may need as the technology evolves and is deployed more widely.

The public is welcome to comment on the new policy, and the Department of Transportation intends to update it annually.

“This policy is an unprecedented step by the federal government to harness the benefits of transformative technology by providing a framework for how to do it safely,” commented Anthony Foxx, US Transportation Secretary.

The primary focus of the policy is on highly automated vehicles, or those in which the vehicle can take full control of the driving task in at least some circumstances. Portions of the policy also apply to lower levels of automation, including some of the driver-assistance systems already being deployed by automakers today.

Simultaneously with this policy, NHTSA (National Highway Traffic Safety Administration and Society of Automotive Engineers) is releasing a final enforcement guidance bulletin clarifying how its recall authority will apply to automated vehicle technologies. In particular, it emphasizes that semi-autonomous driving systems that fail to adequately account for the possibility that a distracted or inattentive driver-occupant might fail to retake control of the vehicle in a safety-critical situation may be defined as an unreasonable risk to safety and subject to recall.

David Barzilai, Karamba Security chairman and co-founder, believes that the DOT guidelines for self-driving cars are timely.

“Navigant Research projects that by 2020, 25% of shipped cars will support different levels of autonomy, growing to 44% of all shipped cars in 2025. These levels, established by the NHTSA and SAE (Society of Automotive Engineers), range from braking and acceleration to auto sensing cars and changing lanes to complete autonomy with the car controlling all safety-critical functions through the entire trip,” he noted.

“The DOT guidelines indicate the need for cybersecurity best practices and call upon industry technology companies and the car manufacturers to share knowledge and create them. DOT expects such best practices to be embedded in the designs of the autonomous cars,” he says.

“The leading car companies and Tier-1 providers have already started to create internal methods for hardening cars against hackers. Yet, they have been experiencing a gap between common enterprise cybersecurity methodologies that protect against data loss and in-car security that protects against fatalities and damages. Both NHTSA and the industry are seeking solutions that will enable the prevention of attacks, not just detection, without risking lives due to false alarms, problems that can lead to legitimate car commands failing to execute, such as airbag deployment.”

“It is not a simple task, but it is absolutely critical, as preventing the attack is even more important than detecting the attack,” he added. “The industry must stop hackers before they ever succeed to penetrate into cars due to the sheer scale of fatalities and property damage that could result from cyberattacks on cars.”

Help Net Security

Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.

The vulnerabilities were discovered by researchers from Tencent’s Keen Security Lab, and responsibly disclosed to Tesla. The company’s Product Security Team confirmed them, and implemented fixes in the latest version of the firmware.

Tencent’s researchers understandably didn’t reveal details about the flaws, but have provided a video demonstration of the attacks:

They have managed to remotely open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. But they have also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from 12 miles away.

“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected,” they noted.

“The issue demonstrated is only triggered when the web browser is used (web browser functionality not enabled in Australia). Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” a Tesla spokesperson told ZDNet.

The software update fixing the flaws has already been deployed over-the-air, so details about them should soon be revealed.

Help Net Security

Last Friday, General Motors has announced that the owners of some 3.64 million of its vehicles will have to come in for a re-flash of their sensing and diagnostic module (SDM) software.

gm recall cars software defect

Apparently, a software bug tied to the diagnostic “oscillation test” routine in the SDM software makes it so that frontal airbags and seat belt pretensioners will not deploy “in certain rare circumstances when a crash is preceded by a specific event impacting vehicle dynamics.”

They did not explain what these “rare circumstances” are, but noted that the failure to deploy of this security feature could result in increased risk of injury to the driver and front passenger.

Cars affected by this latest problem include certain:

  • 2014-2016 model year Buick LaCrosse and Chevrolet SS and Spark EV
  • 2014-2017 model year Chevrolet Corvette, Trax, Caprice PPV and Silverado 1500; Buick Encore; and GMC Sierra 1500, and
  • 2015-2017 model year Chevrolet Tahoe, Suburban and Silverado HD; GMC Yukon, Yukon XL and Sierra HD; and Cadillac Escalade and Escalade ESV.

Owners of those cars will be notified by the company, and the software update will be free of charge – they only need to visit a GM dealership.

As time-consuming as this might seem both for the vehicle owners and the dealerships, there must be a reason why the update can’t be performed over-the-air (i.e. remotely).

Maybe GM does not believe that, at the moment, they can assure the total security of this approach. Unfortunately, the come-in-the-dealership-and-we’ll-fix-it approach has its own problems, as many owners will ignore the recall, or simply won’t have the time to do it.

But, with the recall notification, GM has effectively put the onus of keeping themselves safe on the car owners.

This is not the first time that GM has had problems with airbags. In fact, in 2014 defective ignition switches in some of its cars resulted in the non-deployment of the airbags, and at least 13 individuals lost their lives due to it.

Help Net Security

As smart, connected cars get more ubiquitous, they are often the only option you get when renting a car from a rental agency. With all the reports about car hacking, you might be worried whether someone could manipulate the vehicle you’re renting, but in the real world, that danger still seems far off.

dangers connecting phones cars

A more near and present danger is that of inadvertently sharing your personal data with the car, and therefore with its owners (at a minimum).

“When you use the car’s infotainment system, it may store personal information. It may keep locations you entered in GPS or visited when travelling in the rental car – like where you work or live,” Lisa Weintraub Schifferle, an attorney with the US Federal Trade Commission, explains.

“If you connect a mobile device, the car may also keep your mobile phone number, call and message logs, or even contacts and text messages. Unless you delete that data before you return the car, other people may view it, including future renters and rental car employees or even hackers.”

She advises users to be careful which access permissions they grant to the infotainment system when they plug in their mobile device in it, and to charge their devices through the car’s cigarette lighter adapter instead of the infotainment system if they want to avoid all contact between the two.

She also says it’s a good idea to delete your data from the infotainment system before returning the car.

“Go into the infotainment system’s settings menu to find a list of devices that have been paired with the system. Locate your device and follow the prompts to delete it,” she instructs.

I would add: remember to do the same if you’re selling your own car.

Help Net Security

Car remote controls can be cloned

Researchers have disclosed two remote keyless system attack methods that can be exploited by thieves to clone entry remotes and unlock millions of cars worldwide.

The fact that various functions of a moving car can be hijacked by a hacker with local or remote access is not a secret, but most attacks are not easy to carry out in the real world. There are, however, certain types of vulnerabilities that have a serious immediate impact – weaknesses that allow thieves to open and start cars.

There have been numerous cases over the past years where thieves used electronic devices to open or start vehicles and manufacturers haven’t always been able to figure out exactly how it’s done. However, security researchers have also discovered some attack methods that might have been used or ones that could be leveraged in the future.

Last year, researchers from Radboud University in the Netherlands and the University of Birmingham in the U.K. disclosed a vulnerability in vehicle immobilizers that could have been exploited to start the engine on various car models, including luxury brands. The issue was discovered in 2012, but Volkswagen filed a lawsuit against the experts to prevent them from making their findings public.

At the USENIX Security Symposium taking place these days in Austin, TX, a team of researchers from the University of Birmingham is disclosing new findings, this time focusing on vulnerabilities in remote keyless entry (RKE) systems.

When a vehicle owner presses the button on the electronic remote to lock or unlock the doors, the command is sent via signals generated by a radio frequency transmitter. In modern vehicles, RKE systems use cryptography and a counter value to generate a rolling code signal. The vehicle decrypts the signal and verifies the counter value to ensure that it’s new in an effort to prevent replay attacks.

The Volkswagen Group has a global market share of roughly 12 percent and owns the Audi, Bentley, Bugatti, Lamborghini, Porsche, SEAT, Skoda and Volkswagen brands. However, researchers found that the company has used only a handful of global cryptographic keys to secure this signal in the past 20 years.

Malicious actors who obtain these crypto keys can use them to decrypt the signal from a victim’s remote control. According to researchers, thieves could intercept the signal from up to 100 meters (330 feet), decrypt it, and use the information to create a clone of the original remote control.

Experts believe a large number of vehicles manufactured by the VW Group between 1995 and 2016 are affected, including Audi, VW, SEAT and Skoda models – many of which have been practically tested by the researchers. The carmaker sold roughly 100 million cars between 2002 and 2015 and a large majority are likely vulnerable. Newer models, such as the VW Golf 7, rely on a new platform that is not affected.

Since completely addressing this security bug is not an easy task for the VW Group, researchers believe the only somewhat practical countermeasure is to deactivate or refrain from using the RKE functionality and resort to the mechanical lock.

A second attack method discovered by researchers involves the Hitag2 rolling code scheme, which is used in many cars, including Alfa Romeo, Chevrolet, Opel, Peugeot, Renault and Ford models. In the case of Hitag2, the scheme does not rely on fixed cryptographic keys, but experts determined that the cryptographic key for a certain vehicle can be recovered based on 4-8 rolling codes.

If an attacker can intercept these rolling codes, they can recover the cryptographic key within minutes using a regular laptop – assuming that they have figured out the algorithm. What makes this attack more difficult is that the thief would need to follow the victim around to capture the signal sent after the button was pressed several times on the remote control.

Another possibility is to selectively jam the signal to prevent the door from locking/unlocking. The victim would likely press the button multiple times, allowing the attacker to intercept the needed codes in quick succession.

“The necessary equipment to receive and send rolling codes, for example SDRs like the USRP or HackRF and off-the-shelf RF modules like the TI Chronos smartwatch, are widely available at low cost. The attacks are hence highly scalable and could be potentially carried out by an unskilled adversary,” researchers said. “Since they are executed solely via the wireless interface, with at least the range of the original remote control (i.e. a few tens of meters), and leave no physical traces, they pose a severe threat in practice.”

Some technical information on these attacks is available in the whitepaper published by the researchers, although some details have not been disclosed in order to prevent abuse.

Related: Researchers Hijack Jeep's Steering, Brakes, Acceleration

Related: Cars Plagued by Many Serious Vulnerabilities

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Security researchers have come up with a way to unlock cars manufactured by vendors around the world, and are set to present their findings on Friday at the Usenix security conference in Austin, Texas.

They have devised two attacks:

  • One that target cars of the Volkswagen Group (VW, Seat, Škoda, and Audi), and includes recovering the cryptographic algorithms and keys from electronic control units that allows them to clone the signal that will open the car, and
  • Another that takes advantage of the cryptographically weak cipher in the Hitag2 rolling code scheme used by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, Ford and other car makers. The result of the attack is the same: an unlocked car.

“Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles,” the researchers noted.

The attacks are perhaps not extremely easy to execute, as they require specific technical knowledge and effort, but the hardware tools required to pull them off is cheap and accessible to practically everyone.

For example, this Arduino-based RF transceiver costs less than $ 40, and can eavesdrop and record rolling codes, emulate a key, and perform reactive jamming:

cars easily unlocked

Both attacks can be performed in mere minutes. The researchers did not probe the security of the remote control systems installed on all of the vehicles manufactured by the aforementioned automakers, but those that they managed to compromise are present (in VW’s case) on hundreds of millions of cars, most of which are probably still being driven around.

While these attacks do not allow the attacker to start the car and drive away with it, they can be paired with attacks that allow that, the researchers noted.

Also, stealing valuable objects from inside the car can be pulled off quickly and without leaving a trace on how the car was accessed – victims might even think they forgot to lock the car.

It’s good to note that similar attacks have been demonstrated earlier this year by a group of researchers from ADAC, the largest automobile club in Europe, and before that by researchers from ETH Zurich.

Unfortunately, there is not much car owners can do about this problem, apart from refraining from leaving valuable things in their cars, and from using the remote control system altogether (i.e. choose to unlock their car by using the physical key).

It’s the automakers who should do something about it, but it’s unlikely they will.

“Completely solving the described security problems would require a firmware update or exchange of both the respective ECU and (worse) the vehicle key con- taining the remote control. Due to the strict testing and certification requirements in the automotive industry and the high cost of replacing or upgrading all affected car keys in the field, it is unlikely that VW Group can roll out such an update in the short term,” the researchers noted.

The team says that it’s unknown whether the attacks they devices are currently carried out in the wild by criminals, but that it’s likely they are. “There have been various media reports about unexplained theft from locked vehicles in the last years. The security issues described in this paper could explain such incidents,” they concluded.

For a list of affected cars check out the researchers’ paper.

Help Net Security