How to Steal Tesla Car by Hacking into Owner is Smartphone 




How to Steal Tesla Car by Hacking into Owner is Smartphone



Noredine BAHRI
Noredine BAHRI
  • Technical Writer
  • Entrepreneur
  • Founder and CEO
  • Developer
  • Blogger and IT Analyst
2016-11-27 19:29:56

| Share
| Share
| Share
How to Steal Tesla Car by Hacking into Owner is Smartphone
New technology is always a little scary, so are Smart Cars. From GPS system and satellite radio to wireless locks, steering, brakes, and accelerator, today vehicles are more connected to networks than ever, and so they are more hackable than ever.

It's not new for security researchers to hack connected cars. Previously they had demonstrated how to hijack a car remotely, and how to disable car's crucial functions like airbags by exploiting security bugs affecting significant automobiles.
Read Also : Shareholders approve Tesla acquisition of SolarCity
Now this time, researchers at Norway-based security firm Promon have demonstrated how easy it is for hackers to steal Tesla cars through the company's official Android application that many car owners use to interact with their vehicle.

Two months ago, Chinese security researchers from Keen Lab managed to hack a Tesla Model S, which allowed them to control a car in both Parking and Driving Mode from 12 miles away.

However, Promon researchers have taken an entirely different approach.

 

Tesla Stores OAuth Token in Plaintext


The researchers infected a Tesla owner's phone with Android malware by compromising the Tesla's smartphone app, allowing them to locate, unlock and drive away with a Tesla Model S.

However, Tesla has clarified that the vulnerabilities used in the latest attack do not reside in its app, rather the attack employed known social engineering techniques that trick people into installing malware on their Android devices, which compromise their entire phone and all apps, including Tesla app.

In a blog post, Promon researchers explained that Tesla app generates an OAuth token when a Tesla owner log in to the Android app for the first time. The app then uses this token, without requiring the username and password every time the owner re-opens the app.
 
Next : Tesla is Powerwall 2 packs over twice the energy storage

This OAuth token is then stored in plain text into the device’s system folder which can be accessed by privileged root user only.


Researchers Demonstrates How to Steal a Tesla Car:


According to researchers, it is easy for an attacker to develop a malicious app that contains Android rooting exploits such as Towelroot and Kingroot, which can then be used to escalate the malicious app's privileges, allowing attackers to read OAuth token from the Tesla app.

Stealing this token could enable an attacker to locate the car and open its doors, but could not help the attacker start and drive away with the owner's car.

For this, the malware needs to delete the OAuth token from the owner's phone, which prompts the owner to enter his/her username and password again, allowing the attacker to collect the owner's login credentials.

Researchers say this can be done by modifying the original Tesla app's source code. Since the malware has already rooted the owner's smartphone, it can alter the Tesla app and send a copy of the victim's username and password to the attacker.

 

 

With this data, the attacker can perform a series of actions, like locating the car on the road, open its doors, start the car's motor and drive the car away unhindered, just by sending well-crafted HTTP requests to the Tesla servers with the owner's OAuth token and password.

Tesla says it is not the issue with its product but common social engineering tricks used by attackers to first compromise victim's phone, rooting the device and then altering its apps data.

The researchers' attack is only possible when an attacker convinces a victim into downloading a malicious app on his/her Android device.

 

Read Also : Shareholders approve Tesla acquisition of SolarCity

Next : Tesla is Powerwall 2 packs over twice the energy storage

click the next for more ...
Facebook and Google dominate the list of top apps 2016
Facebook and Google dominate the list of top apps 2016
Facebook and Google dominate the list of top apps 2016

.
Hacker Leaked Celebrities Naked Photos and  Gets 8 Months check the story!
Hacker Leaked Celebrities Naked Photos and Gets 8 Months check the story!

The fourth celebrity hacker—who was charged earlier this year with hacking into over 250 Apple iCloud accounts belonged to Jennifer Lawrenc


Hacker Leaked Celebrities Naked Photos and  Gets 8 Months check the story!
Hacker Leaked Celebrities Naked Photos and Gets 8 Months check the story!

The fourth celebrity hacker—who was charged earlier this year with hacking into over 250 Apple iCloud accounts belonged to Jennifer Lawrenc


Hacker Leaked Celebrities Naked Photos and  Gets 8 Months check the story!
An Interview Question on Spring

Spring Singletons are not Java Singletons. Let's go over the important differences between them and how Spring singletons interact within containe


Hacker Leaked Celebrities Naked Photos and  Gets 8 Months check the story!
Introducing Android 9 Pie

After more than a year of development and months of testing by early adopters, we're ready to launch Android 9 Pie, the latest release of Android,


Hacker Leaked Celebrities Naked Photos and  Gets 8 Months check the story!
7 company will never see another dollar from you

7 / Terminix : basilcinnamonchives  said “My roommate at the time worked on a farm. We were aware of the possiblity he could bring fle


Hacker Leaked Celebrities Naked Photos and  Gets 8 Months check the story!
7 Absolute Weirdest Wedding Dresses Ever

There are only few occasions in life when your'e the center of attention and everybody's celebrating you. One of these occasions is, of course



© 2013-2018 best of geeks. All rights reserved.