Security researchers have shown it’s possible to hack a Tesla remotely and open its doors by using a drone in the sky, leading to concerns about more widespread vulnerabilities in other devices.
Ralf-Philipp Weinmann of Kunnamon and Benedkit Schmotzle of Comsecuris this week released details of the “TBONE” hack they had uncovered.
The researchers demonstrated how a Tesla can be hacked remotely without any interaction with the driver, using a drone up to 100 metres away.
While the vulnerability doesn’t allow the hacker to take control of the car and drive it, it would allow them to open the doors and interfere with the console.
The attack involved the exploitation of two vulnerabilities in the internet connection manager for embedded devices, named Connman.
The researchers showed how someone could take advantage of these flaws to gain full control of a Tesla’s infotainment system without any user interaction.
This is done by the attacker using a drone with a WiFi dongle hovering up to 100 metres away from the parked Tesla.
“It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes – in short pretty much what a driver pressing various buttons on the console can do,” the researchers said.
The hack would have worked against Tesla S, 3, X and Y models, they said.
It would also be easier to “weaponise” these vulnerabilities, the researchers said.
“Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new WiFi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity,” they said.
“We did not want to weaponise this exploit into a worm, however.”
Weinmann and Schmotzle had planned to take part in the Pwn2Own 2020 hacking competition, which offered prizes for hacking a Tesla.
But after this competition was called off due to the COVID-19 pandemic, the researchers eventually reported the flaw they had discovered directly to Tesla’s bug bounty program.
Tesla patched the vulnerability through an update in October last year and has reportedly stopped using the Connmann system.
But this component is understood to be used widely in the automotive industry, meaning that similar attacks may be possible on other vehicles.
The researchers said they have since tried to work with Germany’s national CERT to help inform potentially impacted vendors, but it’s unclear if other manufacturers have also ceased using Connman.
It’s not the first time that it’s been proved that Tesla can be hacked.
In November last year, a Belgian security researcher found that it was possible to steal a Tesla using just Bluetooth.
He discovered a vulnerability in the Tesla Model X, with a series of security flaws in its keyless entry system meaning an attack could take advantage of this system to steal a vehicle.
“Basically, a combination of two vulnerabilities allows a hacker to steal a Model X in a few minutes,” the researcher Lennert Wouters said.
“When you combine them, you get a much more powerful attack.”
