Researchers Used a Drone and a WiFi Dongle to Break Into a Tesla
A hardcoded password was just the start.
In the information age, releasing any new connected product will draw the attention of people who want to test the limits of just how secure it is. In fact, most large enterprises not only predict this, but offer big bounty programs to encourage "white hat" hackers to find, validate, and responsibly disclose vulnerabilities before bad actors can exploit them in the wild. This, of course, also applies to connected cars like Tesla.
Two security researchers recently published their findings after alleging that it was possible to hack a Tesla simply by the vehicle being near a wireless access point. And to make matters more interesting, they were reportedly able to deliver their attack remotely using a drone with a wireless module affixed to it, making it possible to deliver the attack payload remotely without having a direct line of sight to the vehicle.
The vulnerability, called "TBONE," was originally meant to be an entry for the Pwn2Own 2020 security contest, though it was publicly disclosed by German security researchers Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris at CanSecWest 2021 last week. The two researchers were able to successfully gain privileged access to any Tesla vehicle produced after mid-2018 without ever having to touch the vehicle itself, or even see it. This allowed them to unlock the car, open the charge port, and execute any command that a driver would be able to do from the car's infotainment screen.
Here's how it works: Weinmann and Schmotzle knew that all Tesla vehicles were programmed to look for a wireless network called "Tesla Service." The credentials for this network, including the passcode (which was covertly shared on Twitter for quite some time and used in several other attack vectors throughout the years), are hard-coded into the car's firmware. When a Tesla vehicle is parked, it will begin scanning for the network and automatically connect to it without any manual interaction.
Because the vehicle would connect to this network anywhere, it was possible to launch the attack remotely. This could be accomplished by leaving a rogue computer in a remote location, or by flying a drone overhead that broadcasted the network. The researchers chose the latter, explaining that it would be possible to fly the drone to a Supercharger or location with a large concentration of other Tesla vehicles and launch the attack.
The researchers decided that they would use the connection as a starting point and focus on using the Model 3's built-in web browser as an attack vector, as they did in 2019 when Tesla pushed an update to vehicles that swapped out QTWebkit for Chrome just days before the Pwn2Own contest was scheduled. However, they would first need to find a way to execute the arbitrary code.
At the time, Tesla vehicles used an open-source network connection manager called ConnMan, which was originally developed by Intel for its Moblin (short for "Mobile Linux") platform. This software supports a myriad of connection protocols across the network stack and is accessible once the car connects to a wireless network, making it an ideal attack vector for the team to exploit.
The team then chained together two attacks which are now disclosed in the Common Vulnerabilities and Exposures database (CVE-2021-26675 and CVE-2021-26676) and was able to execute remote code.
TBONE was reported to Tesla and the bugs were quickly fixed in a new software update, meaning they are no longer exploitable. However, the root of the problem was ConnMan, and when reported to Intel's Product Security Incident Response Team, the researchers say that Intel didn't want to take ownership of the issue.
Further investigation unveiled that using ConnMan had become a standard in automotive-grade Linux at the recommendation of the GENIVI Alliance, an organization that helps develop standards for in-car infotainment systems. That means it's possible infotainment systems developed by partner companies may use the software which was exploited using TBONE.
The Drive was able to find ConnMan included in Bosch's Open Source Software license disclosure for Nissan Connect, Nissan AIVI, Infiniti InTouch, Renault, Suzuki, and General Motors (for the model year 2019 and older Chevrolet, GMC, Buick, and Opel vehicles). Hyundai has noted its use of a vulnerable version of Connman in an OSS disclosure, as have a plethora of other automakers. It's not immediately clear if the affected software will be patched by automakers other than Tesla.
Got a tip or question for the author? You can reach them here: Rob@thedrive.com