Cybersecurity and Tesla Hack
By Charles Parker
This is from the “What will they think of next” file. Imagine you have just purchased your dream car-the Tesla Model X. You drive it home, with the windows down and the music on. Life is good. You park in the driveway and start to walk up to your house with a smile on your face. Just before you unlock the door, you look back at your new purchase. There’s an annoying drone nearby. Your new pride and joy starts acting odd, especially since you are not in the vehicle. The doors begin to open together, then one at a time. The trunk opens and closes rhythmically with the doors.
As odd as this sounds, this is possible and has been done. Researchers presented this work at the CanSecWest conference (virtual) on April 29, 2021. The researchers used two vulnerabilities to attack the Tesla vehicle. Their new exploit was termed TBONE.
The Tesla uses ConnMan in their network. The researchers focussed on this point for their attack. To design portions of the attack, the researchers used a ConnMan emulation tool, KunnaEmu. With this, they did not require access and use of Tesla at all times when testing. What makes this a bit different and interesting is the configuration.
ConnMan is used to manage the network connections. The attack itself combined a stack buffer overflow when processing DNS requests vulnerability (CVE-2021-26675) with a loophole in the DHCP stack (CVE-2021-26676).
For the attack hardware, the equipment is easy to source. All the attacker needs is a Wi Fi dongle and a drone. Nothing too complicated. There is also no user interaction required. The complete attack can be done in three minutes. Once done, the attacker can, among other things, inject malicious code.
Once exploited, the attacker can do most things a driver can, except start the vehicle. This includes unlocking the doors, unlocking the trunk, changing seat positions, changing steering modes, and changing acceleration modes. This allows full access to the vehicle. This isn’t a thought experiment. The researchers had a full recording of the attack, which they played during the presentation.
On a tangent, they could have weaponized this. The vehicle could have uploaded the malware, and be used as an access point to infect other Teslas. This is a big deal since this could compromise any Tesla Model X that has not received the patch, even the parked ones. What makes it worse is the system is used by other OEMs who may not have patched this yet.
The vulnerability and attack weren’t sprung on the interested parties a week prior to the conference. They did inform Intel, who created ConnMan. The vulnerability was remediated with FOTA update 2020.44 by Tesla in late October 2020.