Tesla Remotely Hacked from a Drone

This is an impressive hack:

Security researchers Ralf-Philipp Weinmann of Kunnamon, Inc. and Benedikt Schmotzle of Comsecuris GmbH have found remote zero-click security vulnerabilities in an open-source software component (ConnMan) used in Tesla automobiles that allowed them to compromise parked cars and control their infotainment systems over WiFi. It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes—in short, pretty much what a driver pressing various buttons on the console can do. This attack does not yield drive control of the car though.

That last sentence is important.

News article.

Tags: , , , ,

Posted on May 4, 2021 at 9:41 AM β€’ 25 Comments

Comments

me β€’ May 4, 2021 10:49 AM

Why a parked car has the wifi on? what about the battery?
sure the battery is big and wifi don’t consume a lot but still it doesn’t make sense to keep it on if it’s parked.

Garabaldi β€’ May 4, 2021 11:00 AM

@me Why a parked car has the wifi on? what about the battery?

So you can open the doors with your phone, or pre-start climate control etc.

Flark Snorfkin β€’ May 4, 2021 11:16 AM

@me Why a parked car has the wifi on?

So you can get automatic updates to fix security flaws. πŸ™‚

TimH β€’ May 4, 2021 11:39 AM

On wifi… If I was Tesla, I would do what Google got slapped for doing with streetview, and build up a GPS correlated map of every wifi hotspot.

TomS. β€’ May 4, 2021 11:55 AM

@me, @Garabaldi:

So you can open the doors with your phone, or pre-start climate control etc

I believe the ETSI IoT mobile specifications: e.g. LTE-M, NB-IoT, other? would be better choices than Wi-Fi.
Given the number of protocols that researchers described available in the Connection Manager, it would be unsurprising to find vulnerabilities in any of the physical layer protocols.

David Rudling β€’ May 4, 2021 2:09 PM

“It would be possible for an attacker to unlock the doors … ”

“This attack does not yield drive control of the car though.”

Why should this be any different to other attacks which usually consist of several stages.
This first stage give physical access to the interior of the vehicle.
Perhaps there will be a second stage attack (or more) making use of physical access which then compromises future control of the vehicle.
The stage one hack then allows the doors to be locked again after insertion of the second stage payload.
Would the system show obvious prior signs of compromise to the victim?

Hedo β€’ May 4, 2021 2:33 PM

Advancements in technology, if you look back say last 50 years and work your way through the milestones, and when you arrive at present day, it really gets summed up pretty accurately here https://www.youtube.com/watch?v=izQB2-Kmiic
Tesla, Prius, blah blah blah… how many of you are aware of Ecological RAPE that’s been going on in some parts of the planet in order to mine for Lithium?
Just so these “Environmentally Friendly” BS solutions such as battery powered vehicles, etc can be offered as “planet saving alternatives”.
My God, the older I get, the more I find myself embarrassed to be a part of the human species.

Real “fun” is yet to come with the availability and abundance of cheap Lime SDR cards. Buckle up people, most kids in 50 years from now are going to have their
OWN, personalized killer drones with custom programmed SDR cards. It is EASY to “invent” just about anything “cool” and “fancy” these days that involves Hi-Tech. You create it fast and cheap with CONVENIENCE in mind. People will buy it. Never mind the suffering it will cause to too many around the world because there is NO security/safety built into the product.

I am afraid of SDRs, and this comes from someone who KNOWS many of the ROGUE(wrong) purposes they can be turned into/made to serve for.

This is not too much off topic because drones pretty much run on SDRs.

T. β€’ May 4, 2021 3:24 PM

ConnMan is not the name I would give to a company that is selling trust…

Ismar β€’ May 4, 2021 4:22 PM

Why do we keep doing this to ourselves- making unnecessarily complex systems we can never secure fully ?
Let’s take a step back when designing these hi-tech gadgets and ask basic questions like – is the loss of security worth the additional convenience? The answer most of the time will be no. So why not focus our attention on robustness , reliability and security of these systems and not be spellbound by all the unnecessary bells and whistles of convenience which almost always introduce weaknesses.

β€œThe saddest aspect of life right now is that science gathers knowledge faster than society gathers wisdom β€œ – Isaac Asimov

SpaceLifeForm β€’ May 4, 2021 4:45 PM

@ Moderator

Trying here since this is spinning in another tab…

Also, forcing at least one PREVIEW may help. But, after ONE, not require more.

That is key. I have a plan.

Security Sam β€’ May 4, 2021 5:26 PM

A digital finite state machine
Doesn’t entail a great scheme
Just a little patience will glean
Sufficient data for one to gleam.

Clive Robinson β€’ May 4, 2021 6:02 PM

@ Ismar,

Why do we keep doing this to ourselves- making unnecessarily complex systems we can never secure fully ?

The answer is simple…

Firstly we can not make things secure ever, that is security is fleeting.

The reason for this is twofold,

1, Humans find new ways to break things everyday, thus what was secure yesterday is not secure today (Somebody called them “Black Swans”, somebody else called them “unknown knowns and unknown unknowns”).

2, Those in power wish to remain there, therefor they desire absolute security for themselves but absolutly no security from them for everyone else.

When you put the two together you get an unstable mess, where the only thing you can say is that like entropy where things move inexorably from ordered to disordered / chaos, all states of being move from the secure to the insecure.

Even the old,

“Three can keep a secret if the other two are dead”

Is not true due to meta-meta-data[1] and the failings of the human memory. A secret eventually finds it’s way out one way or another.

Trying to hide something always involves expenditure of resources, because it is an active process. The utilisation of resources leaves a trail of informarion that can mostly be “accounting/audit” can be followed. Trying to hide those just consumes more resources whilst making things more complex.

One of the failing of the human mind is we just do not do complex very well. That is we can not see things from every direction. In part this is because we are on the inside looking out, whilst others view from the outside looking in. But also because we focous on what we see and we do not look everywhere so there are holes between our viewpoints.

[1] When all is said and done security, secrecy, or privacy are all about “denying others” to be able to do that you have to possess something that you can withold. The fact something exists effects orher things around it. That is as the old phrase has it, “It fills a hole”. Thus to deny others you have to in effect hide not just what you possess but the hole it occupies. The problem with hiding holes is it’s always imperfect in some way. Thus the imperfections are meta-meta-data that indicates there is meta-data about the data on what it is you are keeping from others. Thus they might not know from the meta-meta-data what it is, but they do know there is something… It’s unavoidable because it takes more camouflage to disguise/hide something even casually than the something it’s self takes up, the better the camouflage the more of it is needed. Think of it as hiding a tree, you can hide a small tree in the shade of a larger tree, but to cover all angles you need a wood, but a forrest does it better because it hides the wood (just as Russian dolls hide those within).

SpaceLifeForm β€’ May 4, 2021 6:23 PM

@ Security Sam

Good thing, because I’m running low on turing tape.

EvilKiru β€’ May 4, 2021 6:40 PM

@Ismar, @Clive: 3, A lot of people prefer making as much money as possible as soon as possible above everything else.

Diz β€’ May 4, 2021 11:00 PM

Pretty much all the comments totally miss the point.
It’s just info that it can be hacked… but the hack produces the same result that a metal coat hanger did on older cars, now, of cause you need to disabled the alarm first but the hack is still possible with a metal coat hanger or more destructively with a screwdriver. If my recollection is correct contactless key cars had a huge vulnerability where anyone could apply and get a replacement key (and you could drive those away).

Diz β€’ May 4, 2021 11:08 PM

… just a continuation if thats ok.
Considering the alarm and not the actual locking mechanisms are the key protection on (I think all) modern cars, the big question isn’t whether or not the parked Tesla could be hacked but why the alarm didn’t go off? or did it and wasn’t mentioned in the article.

Diz β€’ May 4, 2021 11:15 PM

Sorry for the third post.
After reading the article…
This hack wasn’t actually done on a Tesla but on a simulation, so although the weakness has logically been patched there is no confirmation that the alarm wouldn’t have gone off nor that the owner wouldn’t have been immediately informed via the app…
… and I believe from reading this that no drone was used.

Clive Robinson β€’ May 5, 2021 12:24 AM

@ EvilKiru, Ismar

3, A lot of people prefer making as much money as possible as soon as possible above everything else.

I tend to put such people some way under those seeking power, they have similar motivations of gain.

But thay are seen as failures by those further up, because they have failed to realise that money is just a tool to use. So rather than the ultimate goal of power, they tend to buy what they think are outward projections of success and status, they are as an academic friend once noted “so petiet bourgeois”[1].

Personally the desire for status, power or money has never realy interested me, yes I have material gains and yes I’ve done the capitalist thing, but as a means to an end which was freedom from others, and to do what I wanted to do. Alledgedly I’m a “high end creative” a sort of trades person who uses brain not muscle as their marketable skill. Such people do not realy fit into the “social and economic strata” that Marx and Lenin formulated to fill out the older “estates model”. In part because back then they were seen as being part of the clergy which belonged in the first estate rather than in the lower estates. The reality was Carl Marx was already out of date as he put pen to paper in the British Library reading room. Society due to industry and the force multipliers it provided was moving beyond the peasant in the field, that had been externalised to Empire via trade. Thus what evolved as communisum was in reality an attempt to hold onto the power structure of the old estates model but with a new court of patronage and no middle classes or religious control of the first estate. As my friend also succinctly put it “Same sh1t different faces”. George Orwell kind of got it right in Animal farm when he decided Napolean should be a pig…

[1] The various bourgeois are social status standings general in the “middle class” with a range of petiet bourgeois to haute bourgeois. With the petiet being a little above trades people, traditionaly the top end of skilled trades people who formed guilds and the like, through shop keepers and costermongers, who have small busineses and do “civic duties” not because of a desire to do so but to show they are members of the club as it were. The haute bourgeois being the upper end of the middle class who employ others not directly but through others. At the bottom the “proffessions” such as law medicine and accounting at the top what these days would be called indistrialists or capitalists. Thus calling them petiey bourgeoisie is in effect a put down or insult.

Ollie Jones β€’ May 5, 2021 7:32 AM

Teslas have two computers. One drives the infotainment setup: the big screen with all the UI on it, the WiFi and LTE interfaces, the adaptive cruise control, and all that stuff that attracts geeks like me to the product. It also handles climate control and makes driver-feedback sounds like turn-signal clicks.

(Power: a BEV battery holds tens of kilowatt hours. A computer in idle mode listening on WiFi and LTE draws tens of milliwatts.)

The other runs the car’s drive-by-wire setup. The drive-by-wire computer works correctly even when the infotainment computer doesn’t. That is good.

You can bounce the infotainment computer with a two-thumb salute: Push and hold both thumbwheels on the steering wheel. This works even when the car is moving. While the infotainment computer is down, the heat / AC konks out: that’s not great. There’s a similar way to bounce the drive-by-wire computer, but that does not work unless the car is parked.

Somebody from Tesla can chime in maybe. But I believe the drive-by-wire computer is fairly robustly defended from remote attack. That does NOT mean it’s invulnerable. But it looks to me like they did a credible job of defense-in-depth. (I hope so anyway, I’m giving my granddaughter a ride in mine later this week. πŸ™‚

And they have an exemplary security-researcher / responsible-disclosure policy.

jay β€’ May 5, 2021 2:54 PM

just last week, Tesla’s product launch in Shanghai Convention Center. a woman jumped onto the podium accusing Tesla EV as “poor quality”. Successfully made a big scene until security applied “coercive measures” to remove her from the venue. reporters talked to the woman and she said her father crashed the car on freeway even though he incessantly applied the brakes before and during the crash. the woman demanded Tesla for refund or replace her a new car at no cost because this was Tesla’s manufacture defect. Tesla denied the claim stating, in a public statement, that the crash was caused by “speeding”. we do not know who’s in the right but problem with Tesla’s argument is, how do they know? the owner never sent the car to Tesla and up to this time, Police has kept their investigation confidential. HOW did Tesla know the driver was speeding? are they just Bulls or they do have the data? and if they do have the data, how they got that data? talking about “rock and a hard place”. LOL

JonKnowsNothing β€’ May 5, 2021 4:44 PM

@All

iirc(badly)

  • A good while ago, there were reports that cars which such features may be using 2 different systems: one for the car, one for the infotainment system, but they communicate along the same single bus structure.
    The same design problem happens in aircraft.
  • A fair number of topics included remote-remote-keyfob hacks (any car). This used a relay system to “read the fob” in the house and ping it to the car parked on the street.
    Just another way to open the doors.

No idea if this is still part of the designs (for any I(di)OT car).

===
ht tps://en.wikipedia.org/wiki/Bus_(computing)
(url fractured to prevent autorun)

me β€’ May 5, 2021 10:44 PM

“Why do we keep doing this to ourselves- making unnecessarily complex systems we can never secure fully ?”

You’re overthinking it. The simple answer is that it makes someone money. The consequences of poor design are externalities.

Garabaldi β€’ May 6, 2021 2:01 PM

β€œWhy do we keep doing this to ourselves- making unnecessarily complex systems we can never secure fully ?”

Because people like nice things. The purpose of security is to prevent other people taking your nice things. If security prevents you having nice things in the first place what’s the point? There is always a tradeoff and security uber alles is rarely the optimum. And you can’t fully secure anything anyway. Anybody with a brick can break into my house and steal the car keys, fob or phone. I could live in a bunker but windows are nice things.

Keyless entry is more convenient. For a lot of people keyless entry with a smart phone instead of a fob is more convenient.

Internet Individual β€’ May 7, 2021 7:22 PM

That is pretty cool hack. It makes you think of all the ways you might try to “hack” or at least Manipulate an automated car. For instances couldnt you paint lines on the road using some special infrared reflected coating, to direct the car off a cliff? Or use the drone to flash super bright lights into front sensors and maybe the car would slam on the breaks thinking a wall was right infront of it. Even something as simple as what it might do when it sees something that it just cant compute, does it stop or just keep going? All the white snow and ice in the winter.

Seems to me the best way to go is have flying cars instead. Automated only of course. Similar to those VTOL’s they use in Dubai to go from rooftop to rooftop downtown. Simply enter the location your trying to go and veritical takeoff and flys to location. Have it automatically return to base after it drops you off. Seems much easier and safer than trying to navigate roads in the United states. Though once EMP-rifles are invented to combat the skynet, it may be a good idea to reconsider. We might be going back to horse and buggy at that point. Or roller blades.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.