A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen.
Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack of security in the Tesla smartphone app opened the door to all manner of exploits, as explained in a blog post here. The cyber-attack unearthed by Promon provides additional functionality to that exposed by Keen Security Labs in a different hack in late September.
Tom Lysemose Hansen, founder and CTO at Promon, said: "Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car."
One way for the hack to work is for cybercriminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal or coffee. When clicking this link and downloading the accompanying app, hackers can gain access to the user's mobile device, allowing them to attack the Tesla app and obtain usernames and passwords.
Youtube Video
In an update, Promon outlines the many and varied security shortcomings of Tesla's app.
This attack is not Tesla specific, and can in generalised form be used against any app. However, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.
One thing that stood out was that the OAuth token is stored in plain text – absolutely no attempts have been made to encrypt it, or otherwise protect it. Getting access to this one piece of data alone will get you the location of the car, ability to track the car and being able to unlock the car.
Driving off with the car requires the username and password in addition, which was very easy to do since the application did not detect that it had been modified to add malware-like behaviour that would send the credentials out of the app to a server.
"If Tesla had followed best practice in security (e.g. as recommended by the Open Web Application Security Project), including applying self-protecting capabilities inside the app, it would have required much higher technical skills – and much more effort – to perform such an attack," according to Promon. The Norwegian app security firm said that it was in "close dialogue with Tesla" in order to address these app security issues.
El Reg asked Tesla to comment on the research on Thursday, a US national holiday. We're yet to hear back but we'll update this story as and when we hear more.
John Smith, principal solutions architect at app security firm Veracode, commented: "With Tesla just recently remediating a vulnerability which allowed the car to be exploited remotely, this new security flaw leaves the car vulnerable to theft and highlights the plethora of challenges that car manufacturers now face as they introduce internet-connected services into the car. Vulnerable software is one of the most significant challenges faced by the automotive industry, with findings from a recent IDC report indicating that there could be a lag of up to three years before car security systems are protected from hackers.
"There are over 200 million lines of code in today's connected car, not to mention smartphone apps linked to the car. So it is essential that car manufacturers put security at the heart of the development strategy, rather than as an afterthought." ®
Sponsored: Transforming software delivery with DevOps
Mac malware could piggy-back on your legitimate webcam sessions - yep, the ones you've initiated - to locally record you without detection, a leading security researcher warns.
Patrick Wardle, a former NSA staffer who heads up research at infosec biz Synack, outlined the vulnerability together with counter-measures he’s developed during a keynote presentation at the Virus Bulletin conference. Peeping Tim-stye malware that abuses the video capabilities of an infected computers to record an unwitting user is a threat to both Windows and Mac users. Mac malware such as Eleanor, Crisis, Mokes and others, all attempt to spy on Mac OS X users via their webcam.
Luckily, modern Macs contain a hardware-based LED indicator that can alert users when the camera is in use. And physically covering the built-in camera - a la Mark Zuckerberg - also provides a low-tech approach to locking out snoopers, with the downside that it also prevents legitimate use.
Wardle has uncovered a fresh dimension to the problem. After examining various "webcam-aware" OS X malware samples, Wardle identified a new "capability" that would permit this type of malware to stealthily monitor the system for legitimate user-initiated video sessions before surreptitious piggyback on these conversations in order to covertly record the user. There are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
During his presentation, titled Getting Duped: Piggybacking on Webcam Streams for Surreptitious Recordings, Wardle outlined the threat together with techniques geared towards detecting "secondary" processes that attempt to access an existing video session on OS X.
“I have not seen any malware using this technique at this time [but] this is something that would be trivial for malware to do, and there aren’t any tools to detect this capability,” Wardle explained, adding there “may be malware already (ab)using this technique that we just haven’t detected”.
Malware along the lines Wardle discussed would be able to record both sides of a conversation once it detects the webcam being used.
Waddle has a released a free Oversight tool that he says can detect and identify any process that accesses the webcam before giving users the ability to either block or allow a process. All these notifications/alerts are logged, so a system admin (say on a corporate network) could reactively also look through the logs to see what was using the webcam. ®
Sponsored: Boost business agility and insight with flash storage for analytics
Slowly but relentlessly, Google is pushing website owners to deploy HTTPS – or get left behind.
The latest announced push is scheduled for January 2017, when Chrome 56 is set to be released and will start showing in the address bar a warning that labels sites that transmit passwords or credit cards over HTTP as non-secure.
In due time, all HTTP pages will be labeled by Chrome as non-secure, and ultimately, the HTTP security indicator will turn red, and sport the same “Danger!” triangle with which sites with broken HTTPS are currently marked:
Google is in the perfect position to spearhead the campaign aimed at pushing the collective Internet towards the default use of HTTPS. Changes in Chrome are one way to do it.
Previously employed tactics include prioritising websites using HTTPS in Google Search rankings and adding a new section to the company’s Transparency Report that allows users to keep an eye on Google’s use of HTTPS, and HTTPS use of the top 100 non-Google sites on the Internet.
“A substantial portion of web traffic has transitioned to HTTPS so far, and HTTPS usage is consistently increasing,” noted Emily Schechter, of the Chrome Security Team.
“We recently hit a milestone with more than half of Chrome desktop page loads now served over HTTPS. In addition, since the time we released our HTTPS report in February, 12 more of the top 100 websites have changed their serving default from HTTP to HTTPS.”
Recent Comments