Research by Norwegian app security firm Promon has demonstrated that cyber-criminals could take control of the company's vehicles, to the point where they can locate, unlock and drive the car away unhindered.
Such a hack, possible by exploiting a lack of security in the Tesla smartphone app, gives criminals total control of the vehicle, providing additional functionality to that exposed by Keen Security Labs in a different hack in late September.
As illustrated in a video produced by Promon, experts at the company have been able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality.
Crucially, this is all done by attacking and taking control of the Tesla app. This underlines the vital importance of app security, and the wider implications this could have for IoT-connected devices in general.
Tom Lysemose Hansen, founder and CTO at Promon, said: “Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”
One way for the hack to work is for cyber-criminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal. When clicking this link and downloading the accompanying app, hackers can gain access to the user's mobile device, which enables them to attack the Tesla app.
According to Hansen, the ease with which any tech-savvy criminal can steal a Tesla car in this way is indicative of a need for a much greater focus on in-app security across all IoT-connected devices and applications.
Hansen added: “Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue. Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory, any app without the necessary protection in place could be affected.
“One way to achieve this is by introducing self-defending app software that protects the app from the inside out, greatly reducing the possibility of a cyber-attack. By moving away from having a physical car key to unlock the door, Tesla is basically taking the same step as banks and the payment industry. Physical tokens are replaced by 'mobile tokens'. Hence, we strongly believe that Tesla and the car industry needs to provide a comparable level of security, which is certainly not the case today.”
Promon is in close dialogue with Tesla to address these app security issues.
Hansen concluded: “Tesla is a shining example of how technological advances are providing unprecedented levels of innovation and user convenience. However, our increasingly app-focused world needs to be urgently secured, to prevent criminals from seizing their opportunity on a large scale.”