A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.

Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.

Tom Lysemose Hansen, founder and CTO at Promon, said: "Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car."

One way for the hack to work is for cybercriminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal or coffee. When clicking this link and downloading the accompanying app, hackers can gain access to the user's mobile device, allowing them to attack the Tesla app and obtain usernames and passwords.

Youtube Video

In an update, Promon outlines the many and varied security shortcomings of Tesla's app.

This attack is not Tesla specific, and can in generalised form be used against any app. However, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.

One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been made to encrypt it, or otherwise protect it. Getting access to this one piece of data alone will get you the location of the car, ability to track the car and being able to unlock the car.

Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behaviour that would send the credentials out of the app to a server.

"If Tesla had followed best practice in security (e.g. as recommended by the Open Web Application Security Project), including applying self-protecting capabilities inside the app, it would have required much higher technical skills – and much more effort – to perform such an attack," according to Promon. The Norwegian app security firm said that it was in "close dialogue with Tesla" in order to address these app security issues.

El Reg asked Tesla to comment on the research on Thursday, a US national holiday. We're yet to hear back but we'll update this story as and when we hear more.

John Smith, principal solutions architect at app security firm Veracode, commented: "With Tesla just recently remediating a vulnerability which allowed the car to be exploited remotely, this new security flaw leaves the car vulnerable to theft and highlights the plethora of challenges that car manufacturers now face as they introduce internet-connected services into the car. Vulnerable software is one of the most significant challenges faced by the automotive industry, with findings from a recent IDC report indicating that there could be a lag of up to three years before car security systems are protected from hackers.

"There are over 200 million lines of code in today's connected car, not to mention smartphone apps linked to the car. So it is essential that car manufacturers put security at the heart of the development strategy, rather than as an afterthought." ®

Sponsored: Transforming software delivery with DevOps

The Register - Security

The Manhattan District Attorney's Office released an updated report denouncing smartphone encryption, but experts said the data was willfully misleading.

Cyrus Vance, Jr., district attorney for New York County, released version 2.0 of the Report on Smartphone Encryption and Public Safety. According to the report, the Manhattan DA's Office has "423 Apple iPhones and iPads lawfully seized since October 2014 [that] remain inaccessible due to default device encryption." Vance said the number of inaccessible devices has been on the rise.

"While the Manhattan District Attorney's Office has been locked out of approximately 34% of all Apple devices lawfully recovered since October 2014, that number jumped to approximately 42% of those recovered in the past three months," the report said. "With over 96% of all smartphones worldwide operated by either Apple or Google, and as devices compatible with operating systems that predate default device encryption are becoming outdated, this trend is poised to continue."

Experts said there was important context information omitted from this portion of the report, notably how many total cases the Manhattan DA's Office handled over that time period in order to understand the proportion of cases influenced by inaccessible mobile devices.

Rebecca Herold, CEO of Privacy Professor, said given the population and the amount of crime in the New York area, 423 inaccessible devices collected over two years "seems very low."

"Plus, for those 400 devices, how many were they able to get metadata, logs from associated cloud services, and other data from that did help with their investigation?" Herold asked. "They should have provided those insights to support a balanced report."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said the report also didn't mention the number of people protected by smartphone encryption.

"It's safe to estimate that the number of people protected from threat actors by iOS security is by far greater than the 400 devices in question by the Manhattan DA," Arsene said. "Encryption technologies have caused more good than harm when it comes to protecting privacy."

Matthew Gardiner, cybersecurity strategist at Mimecast, said "Apple sells approximately 50 million iPhones every quarter, and has sold approximately 1 billion since the beginning of time. Increasing the vulnerability of the vast majority of those users to open up 400 phones is not a reasonable tradeoff."

The report said "approximately 10% of the impenetrable devices pertain to homicide or attempted murder cases and 9% to sex crimes," and Arsene said these distinctions were important.

"While 400 devices might not seem like a large number, it all depends to whom those devices belong to and whether or not those individuals were involved in activities endangering national security," Arsene told SearchSecurity. "However, it's entirely possible that incriminating evidence involving terrorist or criminal activities could probably be procured from other sources, rather than relying on a single phone as a single point conviction."

Surveillance and privacy

The report discussed the potential other sources for gathering investigative data, but argued against the idea that we live in a "golden age of surveillance."

"The other sources of information may be incomplete, or unavailable to law enforcement," the report read. "They generally do not give as complete a picture of criminal liability, or as complete access to evidence relevant to a criminal investigation or prosecution, as would a mobile device."

Additionally, the report said the end-to-end encryption being added to communication apps like Facebook Messenger and WhatsApp "show that far from it being a "golden age" for law enforcement, today's criminals have means of communication that are more secure from law enforcement’s scrutiny than criminals had ever dared hope."

Experts pointed out this argument ignored two major sources of data available to investigators faced with smartphone encryption: metadata and cloud backups. Apple has admitted to providing law enforcement with metadata and iCloud backup data when presented with a valid warrant.

Arsene said there was no way to know if there was iCloud data associated with the devices in question obtained by the Manhattan DA's Office, but he stressed that metadata can be valuable.

"Metadata is at the core of modern day information collection technologies as it removes any personally identifiable information about the individual from the picture, and focuses on his behavior, without infringing on his right to privacy," Arsene said.

Herold said strong encryption was not only available in the U.S. and "if a terrorist or criminal is bent on keeping their communications with others strongly protected, they have many options available elsewhere throughout the world they can use." Additionally, Herold said the constant argument for weakened encryption or backdoors has ultimately limited law enforcement from getting metadata for investigations.

"Requiring U.S. technology companies to build backdoors into encryption will result in criminals and terrorists using encryption tools from other countries, will only hurt U.S. businesses by driving all consumers to other countries for such technologies and will not lead to measurably any more capabilities for their investigation purposes," Herold said. "In fact, investigators will now have less data, because those non-U.S. technology companies will not cooperate with U.S. investigators on cases where they could have gotten a lot of metadata, logs and other useful data beyond the encrypted data from a U.S.-based tech company, such as Apple or any other tech business they seem focused on ruling over."

The Manhattan DA's Office declined to comment on this story.

Getting around smartphone encryption

According to the report, the Manhattan DA's Office "advocates enactment of a federal law that would require smartphone manufacturers and software designers whose software is used in smartphones to retain the ability to extract the information on the smartphones, if and when the manufacturer or designer receives a search warrant for that information. The proposed legislation would restore the status quo before Apple's iOS 8, and would be no different conceptually than legislation that requires products to be safe, buildings to be constructed with exits and egresses that satisfy specific requirements, and roads to have maximum speed limits."

The "status quo" refers to the time before iOS 8 when full device encryption was not the default for Apple products. The report asserts "the actual benefits of iOS 8's default device encryption [has] not been demonstrated by Apple" and "default device encryption does not meaningfully increase smartphone users' protection from unauthorized hackers."

Experts widely disagreed with this assessment, and Herold pointed out the report referenced a decision in The Netherlands that contradicted the argument of the Manhattan DA's Office.

In the list of actions from other countries the report pointed out that "in January 2016, the Dutch government announced that it would not require technology companies to share encrypted communications with security agencies."

The link in the footnote quoted the Dutch Ministry of Security and Justice saying that allowing law enforcers to access protected data would make digital systems vulnerable to "criminals, terrorists and foreign intelligence services," and added "this would have undesirable consequences for the security of information stored and communicated and the integrity of [information and communication technology] systems, which are increasingly of importance for the functioning of the society."

Herold said, "That point summarizes the heart of the issue well: we need strong encryption for the peaceful and privacy-respecting functioning of our modern, digital society."

The report reiterated the various security claims made by Apple regarding iOS 7 in 2012,. Specifically, it said that before iOS 8 Apple maintained the ability to aid law enforcement with investigations and said that "Apple's method of data extraction before iOS 8 was never compromised."

Arsene said Apple's advancement of iOS security was "not necessarily aimed at hindering law enforcement efforts, but at offering users more privacy and security features with the purpose of adding value to Apple's products."

"Good enough security has never been best practice, especially since the digitalization of services and infrastructures has brought forward new attack methods and threats. Security is all about constantly developing and placing more barriers between you and the attacker, increasing the cost of attack and making it difficult for someone to gain access to your data," Arsene said. "Cybercriminals are more creative than we'd like to think and relying on outdate or deliberately vulnerable technologies to protect and secure our data is not just bad practice, but also shortsighted."

Ultimately, the report said there was "an urgent need for federal legislation that would compel software and hardware companies that design or build mobile devices or operating systems to make such devices amenable to appropriate searches," but said all current attempts, including the Burr-Feinstein bill were inadequate. Because of this, the Manhattan DA's Office has proposed legislation that "would require those who design operating systems to do so in a way that would permit law enforcement agents with a search warrant to gain access to the mobile devices."

Herold said "it is misleading, at best, to vilify the use of strong encryption," and said the Manhattan DA's Office is asking for a smartphone encryption backdoor, just without using the word "backdoor."

"Law enforcement has got to stop propagating the false narrative of encryption being all bad. They must balance the effect of encryption to also point out the significantly larger amount of good this effective technology tool does than any harm that they always seem to focus upon," Herold said. "Overall their report is not balanced, and is skewed to promoting fear, uncertainty and doubt within the public in an effort to get their way, and to in effect get access to everyone in the U.S.'s digital selves. If people cannot be compelled to speak in person, then they should not be compelled to have their digital voices revealed either."

Next Steps

Learn more about how encryption legislation could affect enterprise.

Find out why experts say lawmakers don't understand encryption backdoors.

Get info on whether the feds needed Apple's help to bypass smartphone encryption.

SearchSecurity: Security Wire Daily News

On a recent Himalayan trek, I realized just how much I rely on access to the internet to survive, whether it’s GPS for directions or something as simple as checking information on a local fruit. It is undeniable that the internet has become an integral part of our lives, and the smartphone industry is the major driving force behind this revolution.

This privilege isn’t exclusive to urban citizens in India. Many factors, such as the Digital India initiative, the affordability of smartphones and the reduced cost of mobile data have combined to ensure that even remote villages are connected to the internet.

An increase in dependency on the internet also means that our personally identifiable information (PII), which we often freely share on internet, is vulnerable and can be used against our will. Cybersecurity is now a serious issue for countries such as India to tackle.

India: A Top Target

India is attracting the attention of ransomware creators. According to research by Kaspersky Lab, as reported by The Indian Express, India is the fifth-most attacked country in the world.

With a vast majority of users saving their personal information on mobile devices, this avenue provides rich pickings for malicious actors. A huge internet user base of around 400 million, continued usage of legacy systems in government and banking sectors, and the general reluctance to spend on cybersecurity makes India a prime target for cybercriminals.

Social Banking Puts Smartphone Users at Risk

Most mobile applications encourage payment through a unique e-wallet facility. Mobile wallets are among the most popular apps due to the ease with which a transaction can be conducted. Additionally, social banking is just starting to pick up in India.

According to Banking Technology, Axis Bank recently rolled out a social banking capability that encourages payments through social channels such as Twitter. This is a nice advancement in banking technology, but it also pushes the boundaries of security. Social channels accessed through unsecured endpoints will encourage cybercriminals to find the loopholes in the system.

Users Put PII Up for Grabs

Mobile apps offered through reputed stores are monitored for security and privacy risks. An application residing outside these stores, however, is downloaded at the user’s risk. In the pursuit of instant knowledge and entertainment, many users fail to consider the amount of PII apps can access on their smartphones. A Norton survey found that a negligible percentage of users denied an app permission to access data on their smartphones. Alarming, isn’t it?

You Get What You Pay For

With a drop in the price of smartphones, more people are connected to the internet than ever before. Even cheaper phones would probably not receive OS upgrades from manufacturers, making them vulnerable to attacks that exploit the weaknesses of an older software version.

Insufficient National Policies

With nearly 200 million smartphone users, India is forced to look at cyberthreats as a real issue that warrants attention. The government set up a national cybersecurity policy that aims to protect public and private infrastructure from cyberattacks. There is still a long way to go, however, before the policy becomes effective in dealing with cyberthreats in real time.

Currently, cybercrime is dealt with on a case-by-case basis. But India lacks a uniform security framework to address cyberthreats effectively. While it is imperative for users to be cautious about data sharing, it is also the obligation of the government to safeguard the privacy of citizens’ data and reduce economic losses due to cybercrime.

Securing Your Smartphone

While the government mulls its plan of action, consumers can protect their data by following a few simple steps:

  • Use strong passwords.
  • Download applications from known and trusted sources, such as Google Play Store.
  • Be wary of links and attachments in emails.
  • Invest in a basic mobile security solution.

If there is one thing I learned during my Himalayan trek, it is that though there are guidelines and tricks to surviving a high-altitude adventure, it is mostly our gut instincts and strong will to survive that allows us to reach new heights safely. So be safe, smart and secure, and we may yet navigate these cybersecurity challenges and come out unscathed.

Worried about mobile security? Read this white paper

Security Intelligence