
Android Malware Used to Hack and Steal a Tesla Car - SCAQTony
http://www.bleepingcomputer.com/news/security/android-malware-used-to-hack-and-steal-a-tesla-car/
======
bluesign
I hate when people use some brands publicity to promote themselves.

Tesla clearly has no fault here.

so basically:

\- you need to download an malicious app \- your phone has to have some
security bug to bypass 'sandbox' via some root privilidges

I can understand if you blame google for android, or user for downloading app.
But after this chain, there is virtually no app you cannot hack.

>Promon engineers recommend that the Tesla app provide two-factor
authentication, should avoid storing the OAuth token in cleartext, prevent
easy access to its source code, and use a custom keyboard layout when entering
passwords to fight against mobile keyloggers.

btw none of these suggestions preventing anything if you have the conditions
above, suggests me they have no idea what they are talking about

~~~
janvidar
There are lots of ways to get access to this data, installing an app is a
pretty convenient and common way to do so.

Any app can be hacked with enough effort. The Tesla app provided absolutely no
resistance, and technically no privilege escalation is required to steal the
relevant data. Your screen reader app, or custom keyboard has the relevant
access.

>Promon engineers recommend that the Tesla app provide two-factor
authentication, should avoid storing the OAuth token in cleartext, prevent
easy access to its source code, and use a custom keyboard layout when entering
passwords to fight against mobile keyloggers.

We did not recommend this, however the OAuth token should not be in clear
text.

~~~
hibbelig
This blog post does contain those recommendations:

[https://promon.co/blog/tesla-cars-can-be-stolen-by-
hacking-t...](https://promon.co/blog/tesla-cars-can-be-stolen-by-hacking-the-
app/)

Near the bottom, it says:

 _The app should provide its own keyboard for entering the username and
password. Otherwise, malicious third party keyboards can act as keyloggers to
obtain the user’s credentials._

And:

 _The app should be protected against reverse engineering._

~~~
problems
> The app should provide its own keyboard for entering the username and
> password. Otherwise, malicious third party keyboards can act as keyloggers
> to obtain the user’s credentials.

This doesn't really help, if the attacker already has root on the device they
can simply hook the login or key entry function in the application. They can
also just screenshot on tap when the app is launched (though that's the lame
way).

> The app should be protected against reverse engineering.

There's no such thing, I hate when people say things like this. If you rely on
protections against reverse engineering, you rely on half-measures.

A determined reverser will always break your app. It might take minutes or
days, but it'll always happen and they only need to break it once for it to be
broken for everyone.

Ultimately this is a phone security issue. Don't download and run
untrustworthy code, doubly so if your ROM is out of date and vulnerable.

As the immutable law of security says: If someone has root on your device,
it's not your device anymore!

~~~
on_and_off
if the attacker has root on the device, he can do absolutely everything he
wants with it. I don't think any app can do anything at that point.

------
sfifs
> An attacker can read this token if he has access to the user's phone.

> the app will prompt the user to enter his password again, providing the
> perfect opportunity to collect the user's password. Attackers also modify
> the Tesla app's source code to steal login data

Come on, if an attacker has access to an unlocked phone there are far more
valuable targets than a "connected car" that can possibly be remote disabled
any time.

The chain of dependencies outlined in the article is borderline ridiculous.

~~~
janvidar
At the end of the day, a username and password is everything you need to drive
off with any app enabled Tesla.

You can perform your attack in a number of different ways to achieve this, but
setting up a free wifi hotspot near a Tesla super charger allows you to target
and harvest several such usernames and passwords with very little effort.

Disclaimer: I work for Promon. Feel free to ask me about the attack.

~~~
jaclaz
If I may, I am a bit perplexed by:

>Promon engineers recommend that the Tesla app provide two-factor
authentication, should avoid storing the OAuth token in cleartext, _prevent
easy access to its source code_ , and use a custom keyboard layout when
entering passwords to fight against mobile keyloggers.

Security by obscurity?

~~~
janvidar
I'm not sure where this quote came from, but I can say that the Tesla app
should avoid storing the OAuth token in cleartext.

Disclaimer: I work for Promon. See our blog post:
[https://promon.co/blog/](https://promon.co/blog/)

~~~
jaclaz
The quoted text is the last sentence in the article this thread is about:

[http://www.bleepingcomputer.com/news/security/android-
malwar...](http://www.bleepingcomputer.com/news/security/android-malware-used-
to-hack-and-steal-a-tesla-car/)

If the Author of the bleepingcomputer.com article has misunderstood your
findings and conclusions and is reporting as yours something you didn't
recommend, you should let him know and ask for a correction.

------
bitmapbrother
The Tesla Android app (there is a new version coming out soon to replace the
very dated Android and iOS versions) stores its oauth credentials in plain
text in the Tesla app folder. So in order for this to work:

1\. User must enable the installation of apps from unknown sources.

2\. User must then find and install malicious app.

3\. Malicious app must then try and root phone in order to be able to read the
oauth credentials stored in the Tesla app folder.

4\. And finally, user must own a Tesla.

Chances of this ever happening in the real world: Zero.

~~~
janvidar
1\. The free burger malware was hosted from Google Play

2\. The attack was performed at a restaurant near a Tesla super charger,
offering a free Wifi which pushed the Google Play link as ads.

3\. The app must not root the phone, but this is pretty straight forward.

4\. Pretty likely near a Tesla super charger.

> Chances of this ever happening in the real world: Zero.

We certainly hope so.

We're raising awareness of IoT app security. Read our blog for the original
technical details: [https://promon.co/blog/](https://promon.co/blog/)

~~~
bitmapbrother
The number of things that must work correctly in your scenario are so
unrealistic that I would still say the odds are near zero. If someone wants a
Tesla they'll do it the easy way and use a flatbed truck.

------
SCAQTony
Why have a drive train that can "talk" or take commands from a phone at all?
One would think that an air gap or air wall will be would be job one.

~~~
sowbug
That's quite a bright line to draw, especially given that so few cars are air-
gapped today (remote keyless ignition has been widely available since the
1990s).

Moreover, auto theft was a thing long before computers were.

------
huslage
This sort of attack should not be possible. What sort of sandbox sits on disk
unencrypted (regardless of its contents)?! That's not a sandbox, it's just a
directory. Android is an abomination.

------
leephillips
"Android app saves OAuth token in cleartext"

Sheesh.

~~~
scarybeast
I'm not sure that "sheesh" is an appropriate response.

It's perfectly valid for an app to reply on the security of its own storage
space, and isolation from other apps, and drive encryption services of the
platform. These are the guarantees provided by the underlying OS, and if they
are broken, all bets are off.

And what would you do differently? Any effort you put in here is going to cost
you complexity and only likely provide security through obscurity.
Fundamentally, the app has the authority to unlock and start the car. And a
root exploit fundamentally has power over the app. This doesn't change even if
you put the "key" material into hardware storage. Or maybe you could add an
in-app password to encrypt the Tesla password? This is nasty UX, and the root
exploit can still wait around for a moment when the password is provided.

If there's any take away here, it is regarding Android. If you want a secure
Android phone, choose it carefully. Very few Android phones keep up with the
Google automatic security patch schedule. You may want one that does, such as
a Pixel.

~~~
leephillips
That's a reasonable reply. I think my comment was hasty, made after skimming
the article and not thinking about it too deeply.

------
stcredzero
Has anyone tried to "Poison Tap" a Tesla?

[http://www.valuewalk.com/2016/11/poison-tap-5-usb-hijack-
loc...](http://www.valuewalk.com/2016/11/poison-tap-5-usb-hijack-locked-
computer/)

