Grand Theft Tesla: Android App Hack Unlocks, Starts Car
Tesla drivers using the company’s Android app to control their cars could be facing serious safety concerns, according to security researchers who demonstrated in a video that anyone with a laptop and Android hacking skills can exploit the app to unlock, start and drive away a stranger’s Tesla.
In a blog posting and YouTube video from last week, researchers at Norwegian computer-security firm Promon showed how they could track and unlock Tesla vehicles. They could even go as far as stealing the vehicles, using a Tesla app feature that lets owners drive the car without even having their key fob on them.
The problem exists in part, the Promon blog post said, because many Android phone manufacturers aren’t delivering operating-system security patches needed to prevent cyber attacks. More current versions of Android such as Android 6 Marshmallow or Android 7 Nougat make the attack more difficult, but not impossible.
This specific exploit used a malicious app downloaded from the Google Play app store on a non-rooted 2014 Samsung Galaxy A5 running Android 5.0 Lollipop, the most recent version of the OS compatible with that model of phone. These Tesla owners would have to unknowingly download such a malicious app, but that happens frequently enough, even in the official Google Play app store.
Furthermore, this exploit applies only to Tesla drivers who have set up the Android app so that they don’t need to enter their login credentials every time they use it. Doing so creates an authentication token that’s valid for 90 days, but which the Tesla app does not protect with encryption. Many kinds of Android malware could copy and re-use the Tesla authentication token to gain access to the car.
However, the malware needs to also capture the user’s actual username and password to start the car’s engine. Again, many kinds of Android malware could do so.
Source | tomsguide