Norwegian researchers show how to hack and drive a Tesla car through its app

Research by Norwegian app security firm Promon has demonstrated that, by exploiting a lack of security in the Tesla smartphone app, cybercriminals could take control of the company’s vehicles. They have shown they can locate, unlock and drive the car away unhindered.

Such a hack gives criminals total control of the vehicle, providing additional functionality to that exposed by Keen Security Labs in a different hack in late September.

As illustrated in a video produced by Promon, experts at the company have been able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. Crucially, this is all done by attacking and taking control of the Tesla app. This underlines the vital importance of app security, and the wider implications this could have for IoT-connected devices in general.

Tom Lysemose Hansen, founder and CTO at Promon, said: “Keen Security Labs’ recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”

One way for the hack to work is for cybercriminals to set up a Wi-Fi hotspot, likely close to a public Tesla charging point. When Tesla users log in and visit a page, an advert targeting car owners appears, offering an incentive such as a free meal. When clicking this link and downloading the accompanying app, hackers can gain access to the user’s mobile device, which enables them to attack the Tesla app.Promon-logo-dark.11.16

According to Hansen, the ease with which any tech-savvy criminal can steal a Tesla car in this way is indicative of a need for a much greater focus on in-app security across all IoT-connected devices and applications.

He added: “Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue. Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory, any app without the necessary protection in place could be affected.

“Implementing this app security should be a priority for any business with an app containing sensitive user data. One way to achieve this is by introducing self-defending app software that protects the app from the inside out, greatly reducing the possibility of a cyber attack.

“By moving away from having a physical car key to unlock the door, Tesla is basically taking the same step as banks and the payment industry. Physical tokens are replaced by ‘mobile tokens’. Hence, we strongly believe that Tesla and the car industry needs to provide a comparable level of security, which is certainly not the case today.”

Promon is in close dialogue with Tesla in order to address these app security issues.

 Hansen concluded: “Tesla is a shining example of how technological advances are providing unprecedented levels of innovation and user convenience. However, our increasingly app-focused world needs to be urgently secured, to prevent criminals from seizing their opportunity on a large scale.”

To view Promon’s video in full, click here.

Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow

FEATURED IoT STORIES

9 IoT applications that will change everything

Posted on: September 1, 2021

Whether you are a future-minded CEO, tech-driven CEO or IT leader, you’ve come across the term IoT before. It’s often used alongside superlatives regarding how it will revolutionize the way you work, play, and live. But is it just another buzzword, or is it the as-promised technological holy grail? The truth is that Internet of

Read more

Which IoT Platform 2021? IoT Now Enterprise Buyers’ Guide

Posted on: August 30, 2021

There are several different parts in a complete IoT solution, all of which must work together to get the result needed, write IoT Now Enterprise Buyers’ Guide – Which IoT Platform 2021? authors Robin Duke-Woolley, the CEO and Bill Ingle, a senior analyst, at Beecham Research. Figure 1 shows these parts and, although not all

Read more

CAT-M1 vs NB-IoT – examining the real differences

Posted on: June 21, 2021

As industry players look to provide the next generation of IoT connectivity, two different standards have emerged under release 13 of 3GPP – CAT-M1 and NB-IoT.

Read more

IoT and home automation: What does the future hold?

Posted on: June 10, 2020

Once a dream, iot home automation is slowly but steadily becoming a part of daily lives around the world. In fact, it is believed that the global market for smart home automation will reach $40 billion by 2020.

Read more
RECENT ARTICLES

Infineon and Rainforest Connection create real-time monitoring system to detect wildfires

Posted on: October 22, 2021

Munich and San Jose, California, 21 October, 2021 – Infineon Technologies AG a provider of semiconductors for mobility, energy efficiency and the IoT, announced a collaboration with Rainforest Connection (RFCx), a non-profit organisation that uses acoustic technology, Big Data and Artificial Intelligence / Machine Learning to save the rainforests and monitor biodiversity.

Read more

Infineon simplifies secure IoT device-to-cloud authentication with CIRRENT Cloud ID service

Posted on: October 21, 2021

Munich, Germany. 21 October 2021 – Infineon Technologies AG launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication. The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership. Cloud ID is ideal for cloud-connected product companies

Read more