Hackers could stop Tesla cars if drivers leave Bluetooth diagnostics module connected

News by Rene Millman

Device fitted to cars could bring vehicles to a halt through fuzzing CAN messages

Leaving a Bluetooth diagnostics module connected to a Tesla car could leave it open to hackers, according to security researchers.

Ken Munro, partner and founder of Pen Test Partners, said in a blog post that while Tesla cars don’t have a conventional OBDII port for onboard diagnostics, it has its own diagnostics connector (X427).

"That connector has access to all five CANbuses on the vehicle. Yes really. Sound unwise to anyone?" he said.

He adds that as conventional OBDII modules don’t work, users could attach an ELM327 Bluetooth module to analyse the traffic and read CAN messages. This can then allow users to see information about the car such as power, battery status, temperatures, and voltages.

But ELM327 modules have a static, unchangeable Bluetooth PIN of 1234. Munro said that many Tesla drivers who have the modules leave them plugged in all the time so they can read stats on their phones.

In a demo, Munro and a colleague went for a drive with this Bluetooth module connected.

"We fuzzed the CAN hard, essentially replicating existing messages but with random length and content. What happened?" he said. "Very quickly we got a LOT of error messages, culminating in the front, then rear motors going offline and then lost all power."

Munro added that the steering and brakes remained operational through the whole process and the vehicle also came back to life after a full reboot.

"That’s impressive – other vehicle brands may not have coped so well with the traffic. Brick, anyone? Still quite scary on a fast road / motorway / freeway though."

Munro said that further tests have managed to identify CAN traffic to kill the battery contactor.

He said that drivers should not leave unsecured interfaces to your Tesla (or any vehicle) open, Bluetooth or otherwise.

Nigel Stanley, chief security officer at TUV Rheinland, told SC Media UK that as many modern cars are now complex computers on wheels with gazillions of lines of software code and loads of operational technology stuffed in a steel (or glass fibre, or aluminium) box available in the public domain, of course they will be a target for hackers.

"Breaking a Tesla gains serious points in a hacking forum," he said.

"In my experience, manufacturers are quickly waking up to cyber-securing their vehicles. Interestingly, data privacy was a big issue for many manufacturers when GDPR was all the rage over the past couple of years. But decent cyber-security takes time as it needs to be part of the initial design specification as "secure by design" necessarily gains a foot hold in the automotive industry."

Dennis Kengo Oka, senior solution architect at Synopsys, told SC Media UK that there are currently several standardisation activities ongoing such as ISO21434 and UNECE WP.29 which will assist car manufacturers and suppliers to improve their cyber-security posture.

"This would also for example include monitoring for new threats and attacks not only during development but also after vehicles have been sold. Since vehicles are on the streets for 10-15 years, it is imperative that cyber-security encompasses the entire lifetime of the vehicle," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop