Two researchers have shown how a Tesla — and probably other cars — can be remotely hacked without the involvement of the operator. They used a drone to carry out the assault.
Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris conducted research last year that led to this conclusion. The investigation was conducted for the Pwn2Own 2020 hacking competition, which offered a car and other substantial prizes for hacking a Tesla, but the results were later submitted to Tesla via its bug bounty programme after Pwn2Own organisers agreed to temporarily exclude the automotive category due to the coronavirus pandemic.
TBONE is an assault that takes advantage of two vulnerabilities in ConnMan, an internet link manager for embedded devices. An intruder may use these bugs to take complete control of a Tesla’s infotainment system without requiring any user interaction.
A hacker who takes advantage of the flaws may use the infotainment system to perform any task that a normal user might. This involves things like opening doors, adjusting seat positions, playing music, regulating the air conditioning, and changing the steering and acceleration modes, among other things. “However, this attack does not yield drive control of the car,” the researchers explained.
They demonstrated how an intruder could use a drone to launch a Wi-Fi assault on a parked car and open its doors from up to 100 metres away (roughly 300 feet). The exploit, they said, worked on Tesla S, 3, X, and Y models.
“Adding a privilege escalation exploit to TBONE, such as CVE-2021-3347, will allow us to load new Wi-Fi firmware into the Tesla car, turning it into an access point that could be used to exploit other Tesla cars in the region. However, we did not want to transform this hack into a worm,” Weinmann explained.
Tesla officially stopped using ConnMan after patching the vulnerabilities with an update released in October 2020. Intel was also notified because it was the original creator of ConnMan, but according to the researchers, the chipmaker claimed it was not its fault.
According to the researchers, the ConnMan component is commonly used in the automotive industry, suggesting that similar attacks may be launched against other vehicles as well.
Weinmann and Schmotzle sought assistance from Germany’s national CERT in informing potentially affected vendors, but it’s uncertain if other manufacturers have responded to the researchers’ findings.
Earlier this year, the researchers presented their results at the CanSecWest meeting. A video of them using a drone to hack a Tesla is also included in the presentation.
Over the past years, cybersecurity researchers from several companies have demonstrated that a Tesla can be hacked, in many cases remotely.