Security researchers are found the app-based “key” used to unlock the electric supercar Tesla and showed it was possible to guess the key’s six-digit PIN by brute force.The Model S is rated one of the safest cars on the road, but the electronic security system protecting its locks may not be quite as bulletproof. The Tesla car is “locked” using an iPhone app, accessed via a basic six-character password.
According to Welivesecurity, this car vulnerable to ‘brute force’ hacks where attackers try thousands of passwords until they find the correct one. The hack was shown off by researcher Nitech Dhanjani at a conference in Singapore.
While obtaining the password would not allow the attacker to drive the car, it would alllow attachers to drain batteries, operating headlights and halting charging.
Dhanjani pointed out that the ‘static’ password system also meant that phishing attacks could be used to obtain the password, and thus control the Model S’s systems.
Dhanjani said, “The Tesla website doesn’t seem to have any particular account lockout policy per incorrect login attempts. This puts owners at risk since a malicious entity can attempt to brute-force the account and gain access to the iPhone functionality.
in a statement, Tesla said, “”Our customers’ security is our top priority, be that in developing a car with the highest safety rating or doing everything we can to protect them against online security breaches.”
“We protect our products and systems against vulnerabilities with our dedicated team of top-notch information security professionals, and we continue to work with the community of security researchers and actively encourage them to communicate with us through our responsible reporting process.”
The following are the implications as a result of this design:
1. Brute-force attacks: The Tesla website doesn’t seem to have any particular account lockout policy per incorrect login attempts. This puts owners at risk since a malicious entity can attempt to brute-force the account and gain access to the iPhone functionality.
2. Phishing attacks: Given that the only control around the iPhone app is a password, the situation is ripe for potential attackers to steal credentials using phishing attacks. Once credentials are gathered, phishers can easily check the location of the cars for the accounts they have compromised by using the Tesla REST API [ http://docs.timdorr.apiary.io ](destination https://portal.vn.teslamotors.com/) by following these steps:
A. Login by submitting to /login and setting the user_session[email] and user_session[password] parameters.
B. Use the session token from A. to obtain the vehicle list by submitting a GET request to /vehicles.
C. User the vehicle id obtained in B. to query the location of the vehicle by submitting a GET request to /vehicles/{id}/command/drive_state. This will return the location in the form of latitude and longitude.
Once the phisher has obtained the location of the vehicles mapped to the compromised accounts he or she can unlock a particular vehicle or a set of vehicles (buy invoking the following in a loop): GET request to /vehicles/{id}/command/door_unlock.
3. Malware attacks: Future generation malware is likely to pick up static 1-factor passwords pertaining to vehicles such as the Tesla and ferry them to botnet herders giving them substantial power into locating and controlling (unlocking the car, for example) vehicles.
4. Password leaks: Users have a tendency to re-use their credentials on other services as well. This creates a situation where an attacker that has compromised a major website can attempt to try the same password credentials on Tesla website and iPhone app. We also see situations of major password leaks on a daily basis. An attacker can easily use usernames and passwords from such leaks and attempt login on the Tesla iOS app (or automate the process described in 2. using the REST API) to locate and unlock cars.
5. Social engineering and Tesla employees: In addition to these issues, it is widely known amongst Tesla owners that Tesla customer service has the ability to unlock cars remotely. It is unclear what consistent requirements owners have to go through to verify their identity. Without clear requirements, it is possible that a malicious entity may be successful in social engineering Tesla customer service to unlock someone else’s car. It is also unclear what background checks Tesla employees are subject to prior to be given the power to unlock any Tesla car.
6. Email account compromise: Any user with temporary access to the owner’s email can reset the owner’s password. The user will not be required to answer any secret questions or any additional information. For an expensive car such as the Tesla Model S and the physical consequences of theft of material inside the car, it is recommended that owners protect their email accounts by:
A. Setting up a separate GMail account that is not tied to any other service and enable 2 factor auth.
B. Link this GMail email address to their Tesla profile.
On a somewhat positive note, it was noted that the Tesla website incorporates an anti-CSRF token (form_token) which prevents malicious website from taking over the user’s account by invoking a POST request to the /user/me/edit functionality which lets users change their password and username.
No comments:
Post a Comment