
Tesla cars can be stolen by hacking the app - andreasley
https://promon.co/blog/tesla-cars-can-be-stolen-by-hacking-the-app/
======
andreasley
This was done by installing malware on a Tesla owner's Android smartphone.
Tesla's response to electrek [1]:

 _The report and video do not demonstrate any Tesla-specific vulnerabilities.
This demonstration shows what most people intuitively know – if a phone is
hacked, the applications on that phone may no longer be secure._

That is, of course, true. However, is a login and password [2] really
sufficient to secure access to a car? Why isn't there some kind of paring
between the smartphone and the car?

Some argue that stealing a physical key is even easier. Of course it is, but
that doesn't mean we can't do better.

[1] [https://electrek.co/2016/11/23/tesla-hacker-steal-
car/](https://electrek.co/2016/11/23/tesla-hacker-steal-car/)

[2] [https://www.youtube.com/watch?v=vlVFhT-
DjnI](https://www.youtube.com/watch?v=vlVFhT-DjnI)

~~~
janvidar
The OAuth token is also stored in plain text on the device. This is by itself
enough to locate, track and unlock the car. The app prompts the user for the
username/password in order to start the car.

Mandatory disclaimer: I'm affiliated with Promon.

