Nowadays, a new car owner has a number of features at his disposal that would have seemed out of a sci-fi flick not so long ago, and that’s mainly due to the revolution in connectivity systems and their integration with smartphones.
That’s all good and well, but now car thieves have also stepped up their game, indulging in cybercrime, and they are targeting the weakest link in the chain: the end user. Security firm Promon demonstrated how easy it is for hackers to locate, open and drive away with a Tesla Model S by taking advantage of that vulnerability.
What they did was exploit the application that allows the user to check the battery status, view the location of the car and even set the climate control, all via his smartphone. The difficult part was convincing the owner to download another app (an Android-one, in this case) that is essentially a malware which would give them access to both the Tesla application and the owner’s username and password. That they did, by offering a free Wi-Fi hotspot next to a charging station, promising a free burger to the nearby restaurant.
From then on, it was a walk in the park for the would-be hacker to locate, unlock and use the keyless driving function to steal the car. Had it been a real case, instead of a demonstration, the unsuspecting owner wouldn’t even know anything about it until he returned to the parking lot…
“Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue”, said Tom Lysemose Hansen, founder and chief technology officer of Promon. “Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory any app without the necessary protection in place could be affected.”
A Tesla spokesperson commended on the IBTimes UK about this particular hack: “The report does not demonstrate any Tesla-specific vulnerability. This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure.”
“The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system.”
Free Wi-Fi hotspots and free burgers? No such thing as a free lunch, certainly, and it shows that if something looks too good to be true, then there’s a catch somewhere. Or someone waiting for you to take the bait and steal your car.