A team of hackers in Norwegian cyber security firm have demonstrated how the cyber-criminals can easily exploit the security of the Tesla's car by just compromising the car's companion smartphone application.
The cyber security researchers of the firm Promon used a laptop to remotely unlock the Model S's doors, start the electric car and drove away unhindered without using the key. They successfully managed to do so by hacking a car owner's smartphone.
The company published a video that exposes the vulnerabilities in the Tesla app, which is commonly used by owners to check the battery level and charging status, identify the location of their car, for temperature regulation before getting in, and flash the lights to help find the car in a car park.
The app is available for both Android and iOS phones.
The hackers first convince the owner to download a malicious app onto their phone and then create a free and open Wi-Fi hotspot close to a Tesla charging station.
Tom Lysemose Hansen, founder, and CTO at Promon, said: “Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”
Within few days of the demonstration, Tesla sent a software patch to fix that flaw.
“Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car,” Hansen said.
“By moving away from having a physical car key to unlock the door, Tesla is basically taking the same step as banks and the payment industry. Physical tokens are replaced by ‘mobile tokens,’” Hansen said. “We strongly believe that Tesla and the car industry need to provide a comparable level of security, which is certainly not the case today.”
The cyber security researchers of the firm Promon used a laptop to remotely unlock the Model S's doors, start the electric car and drove away unhindered without using the key. They successfully managed to do so by hacking a car owner's smartphone.
The company published a video that exposes the vulnerabilities in the Tesla app, which is commonly used by owners to check the battery level and charging status, identify the location of their car, for temperature regulation before getting in, and flash the lights to help find the car in a car park.
The app is available for both Android and iOS phones.
The hackers first convince the owner to download a malicious app onto their phone and then create a free and open Wi-Fi hotspot close to a Tesla charging station.
Tom Lysemose Hansen, founder, and CTO at Promon, said: “Keen Security Labs' recent research exploited flaws in the CAN bus systems of Tesla vehicles, enabling them to take control of a limited number of functions of the car. Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car.”
Within few days of the demonstration, Tesla sent a software patch to fix that flaw.
“Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car,” Hansen said.
“By moving away from having a physical car key to unlock the door, Tesla is basically taking the same step as banks and the payment industry. Physical tokens are replaced by ‘mobile tokens,’” Hansen said. “We strongly believe that Tesla and the car industry need to provide a comparable level of security, which is certainly not the case today.”