In the information age, releasing any new connected product will draw the attention of people who want to test the limits of just how secure it is. In fact, most large enterprises not only predict this, but offer big bounty programs to encourage “white hat” hackers to find, validate, and responsibly disclose vulnerabilities before bad actors can exploit them in the wild. This, of course, also applies to connected cars like Tesla.
Two security researchers recently published their findings after alleging that it was possible to hack a Tesla simply by the vehicle being near a wireless access point. And to make matters more interesting, they were reportedly able to deliver their attack remotely using a drone with a wireless module affixed to it, making it possible to deliver the attack payload remotely without having a direct line of sight to the vehicle.
The vulnerability, called “TBONE,” was originally meant to be an entry for the Pwn2Own 2020 security contest, though it was publicly disclosed by German security researchers Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris at CanSecWest 2021 last week. The two researchers were able to successfully gain privileged access to any Tesla vehicle produced after mid-2018 without ever having to touch the vehicle itself, or even see it. This allowed them to unlock the car, open the charge port, and execute any command that a driver would be able to do from the car’s infotainment screen.
Here’s how it works: Weinmann and Schmotzle knew that all Tesla vehicles were programmed to look for a wireless network called “Tesla Service.” The credentials for this network, including the passcode (which was covertly shared on Twitter for quite some time and used in several other attack vectors throughout the years), are hard-coded into the car’s firmware. When a Tesla vehicle is parked, it will begin scanning for the network and automatically connect to it without any manual interaction.
Because the vehicle would connect to this network anywhere, it was possible to launch the attack remotely. This could be accomplished by leaving a rogue computer in a remote location, or by flying a drone overhead that broadcasted the network. The researchers chose the latter, explaining that it would be possible to fly the drone to a Supercharger or location with a large concentration of other Tesla vehicles and launch the attack.
The researchers decided that they would use the connection as a starting point and focus on using the Model 3’s built-in web browser as an attack vector, as they did in 2019 when Tesla pushed an update to vehicles that swapped out QTWebkit for Chrome just days before the Pwn2Own contest was scheduled. However, they would first need to find a way to execute the arbitrary code.
At the time, Tesla vehicles used an open-source network connection manager called ConnMan, which was originally developed by Intel for its Moblin (short for “Mobile Linux”) platform. This software supports a myriad of connection protocols across the network stack and is accessible once the car connects to a wireless network, making it an ideal attack vector for the team to exploit.