Tesla has been hit by the claim that its cars can be stolen by hacking the Tesla smartphone app. The claim comes from Norwegian app security firm Promon. This is the second time in two months that Tesla has been hit with issues over cyber security. As the number of Tesla cars continues to grow so will the attacks from hackers. Tesla is seen as being the benchmark for fully electric vehicles. The question now is can it come back from these two incidents and set the benchmark for automotive cyber security.
According to Tom Lysemose Hansen, founder and CTO at Promon: “Our test is the first one to use the Tesla app as an entry point ….. showing that a compromised app can lead directly to the theft of a car. Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue. Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory, any app without the necessary protection in place could be affected.
“Implementing this app security should be a priority for any business with an app containing sensitive user data. One way to achieve this is by introducing self-defending app software that protects the app from the inside out, greatly reducing the possibility of a cyber attack.”
What does the attack reveal?
The details of the attack were disclosed by Lars Lude Birkeland, Marketing Director, Promon AS. In a blog entitled: “Tesla cars can be stolen by hacking the app” and associated YouTube video Birkeland shows how easy it is to take control of a Tesla vehicle. The functions that are covered include:
- Locate and track the car.
- Open the doors of the car.
- Enable the keyless driving functionality that makes it possible to drive the car without the key fob present.
Birkelan claims there is a range of other things that the attacker is able to do. However, he declines to go into detail about them. The most important thing here is that it enables the cyber criminal to steal a Tesla. It appears that the Tesla app only requires the user to authenticate themselves once every 90 days. This gives the attacker a big window in which to attack the app in order to steal the car.
To get the user credentials the attacker simply has to persuade the user to insert their credentials into a fake app. This is done by persuading the user to download the fake app using a range of different techniques. Once the user inserts their username and password the hacker is able to locate the car and steal it.
What can Tesla do?
Interestingly Promon has released the details of this hack before it has been fixed. It has said that it is working with Tesla to address the issues it has discovered. It has not said why it has released the details of the attack before a fix is available but presumably this is because of its severity.
Promon has put forward five ways that Tesla could improve the security of its app. These include:
- The application should detect that it has been modified.
- The authentication token should not be stored in clear text.
- The security of the authentication can be improved by requiring two-factor authentication.
- The app should provide its own keyboard for entering the username and password. Otherwise, malicious third party keyboards can act as keyloggers to obtain the user’s credentials.
- The app should be protected against reverse engineering.
While Promon is right to suggest these changes, the addition of biometric security would improve this. The security of a finger print could easily be added to the application which would offer even greater security.
This is not the first time a car manufacturers app has been targeted. Earlier this year Nissan and Mitsubishi suffered attacks that allowed an attacker to access a vehicle without setting off the alarm. Last year GM was the target of hackers.
The industry has come under increasing attention in the last two years from security researchers. They have shown just how easy it is becoming to attack the cyber security around vehicles. Most of the failures come from poorly implemented separation of systems. This was highlighted by the US General Accounting Office report in a report it published in April.
As apps are increasingly used to control and manage vehicles it is essential that manufacturers do more to ensure they are secure. If the manufacturers do not prove that they are capable of solving the security challenge governments might feel compelled to step in.