Equipment flew over the car replicating the network configured for dealerships and opened the vehicle’s doors after exploiting the vulnerability.
Two security researchers demonstrated an attack capable of taking control of Tesla’s on-board entertainment system to control vehicle functions, including air conditioning, music, doors and acceleration modes.
The demonstration featured a drone that, flying over a Tesla Model X, created a special Wi-Fi network to exploit a vulnerability and open the car doors. Although it was possible to carry out the same attack with a notebook, the simulated scenario with a drone warns of the possibility of more discrete attacks.
The problem was identified by experts Ralf-Philipp Weinmann, from Kunnamon, and Benedikt Schmotzle, from Comsecuris. The work was initially carried out for the Pwn2Own competition, which would reward researchers with a car if they encountered such an attack.
Because of the covid pandemic, this category of Pwn2Own has been canceled. The competition started to be held by videoconference and focused on other portable devices of the ‘internet of things’, such as speakers and televisions.
However, experts maintained the research and identified the loophole, which was communicated directly to Tesla. In addition to the Model X, experts say the S, 3 and Y models were also vulnerable.
The automaker released an update to correct the problem in October 2020. The demonstration of the attack, however, was only published last week by the CanSecWest security conference (you can watch the video, in English).
Since the attack gives access only to Tesla’s on-board entertainment system, it is not possible to “drive” the vehicle remotely through this flaw.
Even so, the researchers speculated that it may be possible to replace all the code responsible for the functioning of the car’s Wi-Fi. If this replacement were successful, attackers could create a permanent remote access channel on the vehicle.
Other brands and products may be vulnerable
The fault found by the experts is located in a software called “ConnMan” (short for “Connection Manager”, or “Connection Manager”). It is a component responsible for initiating and configuring network connections, such as Wi-Fi.
Experts pointed out that this code was developed by an employee of the processor manufacturer Intel, but the company denied that it is currently responsible – the project is now maintained by other groups. To get around the situation, Tesla would have decided to replace ConnMan with other equivalent software.
ConnMan is indicated for embedded systems – packages that provide an integration between hardware and software. For this reason, it is possible that other devices, and even other vehicles of other brands, are vulnerable.
The experts contacted Germany’s security incident response team to get other automakers to communicate and make the necessary adjustments. So far, it has not been confirmed whether other vehicles have already received or will have to receive an update.
Even if not all of the vulnerable devices have been fixed, an attack would still depend on finding a channel to exploit the error.
In the specific case of Tesla, parked vehicles scan the surroundings for a Wi-Fi network called “Tesla Service”, which should normally be used for maintenance procedures carried out by dealerships, for example.
However, it was possible to extract the settings and password for this network from the software installed in the vehicle. The drone prepared by the experts then replicated the Wi-Fi network “Tesla Service”, generating an automatic connection when approaching the car.
This connection is not sufficient to provide access to the Tesla’s on-board system. It is only the first stage of the attack, which depends on the breach found in ConnMan to be continued.
In other words, the maintenance network only frees the attacker from convincing the vehicle owner to connect to a malicious network, as it is possible to take advantage of this programmed behavior.
In addition, the possibility that the same attack could work over the cellular network has not been ruled out. In that case, the attacker would need to be able to create a fake mobile network or manipulate the service provider’s network.