According to researchers, it is easy for an attacker to develop a malicious app that contains Android rooting exploits such as Towelroot and Kingroot, which can then be used to escalate the malicious app's privileges, allowing attackers to read OAuth token from the Tesla app.
Stealing this token could enable an attacker to locate the car and open its doors, but could not help the attacker start and drive away with the owner's car.
For this, the malware needs to delete the OAuth token from the owner's phone, which prompts the owner to enter his/her username and password again, allowing the attacker to collect the owner's login credentials.
Researchers say this can be done by modifying the original Tesla app's source code. Since the malware has already rooted the owner's smartphone, it can alter the Tesla app and send a copy of the victim's username and password to the attacker.
With this data, the attacker can perform a series of actions, like locating the car on the road, open its doors, start the car's motor and drive the car away unhindered, just by sending well-crafted HTTP requests to the Tesla servers with the owner's OAuth token and password.
Tesla says it is not the issue with its product but common social engineering tricks used by attackers to first compromise victim's phone, rooting the device and then altering its apps data.
The researchers' attack is only possible when an attacker convinces a victim into downloading a malicious app on his/her Android device.
With Halloween fast approaching, young children, will be heading out across neighborhoods in the world, to trick or treat, dressed as their favorite c
Out of those 30 million accounts, hackers successfully accessed personal information from 29 million Facebook users, though the company assured that t
As it turns out, even when you opt to limit Google's ability to track your location when using its search function or apps, some of your time-stam
WhatsApp, the most popular messaging application in the world, has been found vulnerable to multiple security vulnerabilities that could allow malicio
Besides Timehop, another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFa
Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new ma