If you own a Tesla car and see a drone hovering around your parking lot, be super aware! Someone might be trying to gain access to your car by hacking into it. Security researchers Ralf-Philipp Weinmann and Benedikt Schmotzle claim so. The duo has discovered zero-click security vulnerabilities in Tesla’s open-source software component called, ConnMan. On successfully exploiting the vulnerabilities, attackers could take control of the infotainment systems through Wi-Fi.
Tesla’s Zero-click Vulnerabilities
The zero-click vulnerabilities, which the researchers named “TBONE,” were to be demonstrated at the hacking contest “Pwn2Own,” which was scheduled to be held in Vancouver in March 2020. However, it had to close its doors due to the pandemic. Tesla takes pride in identifying itself as a technology firm than an automobile giant because of its pioneering technology of self-driven cars. Thus, it supports such hacking contests and bug bounty programs to furthermore secure its tech front.
Weinmann and Schmotzle said that exploiting the vulnerabilities would allow the attacker to “lock/unlock the doors and trunk, change seat positions, both steering and acceleration modes” – in short, pretty much everything that a driver can do by pressing various buttons on the console. However, one thing to be noted here was the fact that even after gaining control over these features, the attacker could not fidget with the drive control of the car. (So, no, your Tesla won’t just roll out of the parking lot and reach the attackers’ destination… at least for now.)
What the Researchers Say…
Weinmann, who is the CEO of Kunnamon, said,
Looking at the fact that TBONE required no user interaction, and the ease of delivery of the payload to parked cars, we felt this attack was ‘wormable’ and could have been weaponized.”
“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. However, we did not want to weaponize this exploit into a worm.
The researchers did not have an actual Tesla car to test their exploit, so, they used an in-house emulator – “KunnaEmu” – to devise these attacks. However, they were confident about its accuracy and thus disclosed their analysis at Tesla’s bug bounty program in October 2020. Tesla was quick to work around it and released a patch update v2020.44 in late October. Additionally, Tesla has also reportedly moved to an alternative of ConnMan – dnsmasq.
ConnMan is used in several German automobiles and thus the duo shared their findings with the CERT-Bund (German CERT) to help automobile companies fix these vulnerabilities at the earliest.