A recent presentation at the Black Hat Asia conference last week placed the spotlight on securing the Internet of Things, this time in the form of an electric car.
According to researcher Nitesh Dhanjani, Tesla Motors gives car owners the ability to unlock their car doors using their mobile phones, creating a potential opening for criminals able to get their hands on the user’s password.
In a paper, Dhanjani explained that to order a Tesla Model S, users have to establish a password-protected account on teslamotors.com. Once the car is delivered, the owner can use a mobile app to take a number of actions, including both locking and unlocking the car as well as flashing the lights. They cannot use the app to actually start the car, which requires the actual key fob.
Still, this new reality opens up a number of potential attack vectors, Dhanjani argued, including the use of brute-force attacks. According to Dhanjani, the Tesla website does not have an account lockout policy that goes into effect after multiple failed login attempts. The situation is also attractive for phishers who may look to steal the credentials as well. From there, the attackers could find the cars associated with the accounts and unlock the doors.
“Once credentials are gathered,” the researcher wrote, “phishers can easily check the location of the cars for the accounts they have compromised by using the Tesla REST API (destination https://portal.vn.teslamotors.com/) by following these steps:
A. Login by submitting to /login and setting the user_session[email] and user_session [password] parameters.
B. Use the session token from A to obtain the vehicle list by submitting a GET request to /vehicles.
C. User the vehicle id obtained in B to query the location of the vehicle by submitting a GET request to /vehicle/{id}/command/drive_state. This will return the location in the form of latitude and longitude.
“Once the phisher has obtained the location of the vehicles mapped to the compromised accounts he or she can unlock a particular vehicle or a set of vehicles (buy invoking the following in a loop): GET request to /vehicles/{id}/command/door_unlock,” he wrote.
The researcher also noted that third-party applications have already begun to leverage the Tesla REST API to build applications. This could be problematic in the case of malicious apps or in the event the third-party infrastructure is compromised. Until Tesla announces an SDK and the methods they are going to outline to sandbox applications, users should refrain from using third-party applications, he wrote.
Dhanjani stated that he has shared his findings with Tesla Motors. In a statement, a spokesperson for the car company told Reuters that the company “will continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process.”
“Given the serious nature of this topic, we know we can’t attempt to secure our vehicles the way we have attempted to secure our workstations at home in the past by relying on static passwords and trusted networks,” according to Dhanjani’s paper. “The implications to physical security and privacy in this context have raised stakes to the next level.”
