Over the past years, several cybersecurity companies have shown that a Tesla can be hacked.
Recently, two European researchers have demonstrated how a Tesla can be hacked remotely without any user interaction. They carried out the attack from a drone showing that possibly other smart cars are vulnerable too.
Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris conducted research that initially was intended for the Pwn2Own 2020 hacking competition and presented their findings in a paper [PDF]. When the Pwn2Own contest organizers decided to temporarily eliminate the automotive category due to the coronavirus pandemic, the researchers reported the findings to Tesla through its bug bounty.
To hack a Tesla the researchers exploited two vulnerabilities in ConnMan, Tesla’s internet connection manager for embedded devices. In the attack, dubbed TBONE, a remote attacker can use this zero-click exploit to take full control of Tesla’s infotainment system without any user interaction.
This would allow the attacker to perform any task of a regular user of the infotainment system: opening and closing doors, modifying steering and acceleration modes, adjusting seat positions, playing music, and controlling the air conditioning. However, the attack does not give control over the driving of the car.
Researchers used a drone connected to Wi-Fi to launch an attack. They successfully hacked a parked car, opened its doors from a distance of up to 100 meters (300 feet).
The Tesla models affected by the bugs are Tesla S, 3, X, and Y.
“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however,” Weinmann said.
Tesla patched the vulnerabilities in October 2020. The auto maker has reportedly stopped using ConnMan’s internet connection manager. They also notified Intel, the original maker of ConnMan. And since the ConnMan component is widely used in the automotive industry, Weinmann and Schmotzle reported the bugs to Germany’s national CERT so that it informs potentially impacted vendors.