Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Vulnerability Exposed Tesla Central Touchscreen to DoS Attacks

Tesla Model 3 hacked again

Tesla Model 3 hacked again

Hackers could have caused a Tesla Model 3’s central touchscreen to become unusable simply by getting the targeted user to visit a specially crafted website. The car maker has released a software update that patches the vulnerability.

A researcher who uses the online moniker Nullze discovered that the Tesla Model 3’s web interface is affected by a denial-of-service (DoS) vulnerability.

The flaw, tracked as CVE-2020-10558 and blamed on “improper process separation,” allows an attacker to cause the central display to become unresponsive.

“[The vulnerability] allows attackers to disable the speedometer, web browser, climate controls, turn signals, navigation, autopilot notifications, and blinker notifications along with other miscellaneous functions from the main screen,” Nullze explained in a blog post.

“To exploit the vulnerability, a user has to go to a specially crafted web page. This web page will crash the chromium-based browser interface and inherently crash the entire Tesla Model 3 interface,” he added.

The researcher pointed out that while exploitation of the vulnerability causes the central display to crash, the car can still be driven. The display starts working once the car has been turned off and turned on again.

The vulnerability was reported to Tesla through the electric car maker’s bug bounty program on Bugcrowd. The researcher was awarded an undisclosed bug bounty for his findings.

Tesla offers between $100 and $15,000 for vulnerabilities. Last year, the company awarded $10,000 to a researcher who discovered a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain vehicle information.

Advertisement. Scroll to continue reading.

The company patched the flaw reported by Nullze with the release of version 2020.4.10 in mid-February. Software updates are automatically pushed to Tesla vehicles, and users can either install them immediately — if they are not about to drive the car — or schedule them for later.

Tesla owners who have yet to install the update can test the vulnerability by using a proof-of-concept (PoC) exploit made available by Nullze. The expert has also published several videos showing the exploit in action.

Nullze said he started looking at the security of Tesla cars after seeing Amat Cama and Richard Zhu win a Tesla at the Pwn2Own 2019 competition after they hacked the vehicle’s web browser.

Related: Tesla Breach: Malicious Insider Revenge or Whistleblowing?

Related: Tesla Model X Hacked by Chinese Experts

Related: Hackers Can Clone Tesla Key Fobs in Seconds

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.