While most of us would surely love to own a Tesla Model S, chances are that most of us don’t, so we’ll look at a security weakness that might allow an attacker to control the locks of a Tesla Model S sedan as well as a $20 “untraceable” device that would allow an attacker to remotely take control of most other cars that are CAN-enabled vehicles.
Nitesh Dhanjani, who presented “Abusing the Internet of Things: Blackouts, Freakouts and Stakeouts” at Black Hat Asia said that crooks can locate and unlock a Tesla Model S by cracking the six-character password associated with each vehicle and its corresponding iOS app. If the account was compromised, a crook could use the app to control locking, unlocking, honking the horn and flashing the lights.
Dhanjani wrote about the security threats and potential low hanging fruit, warning that “we can't protect our cars like we protect our workstations.” In essence, a Tesla Model S app and the owner’s account are controlled by a password that is vulnerable to the same types of attacks as those used to gain access to a PC or an online account: brute-force, phishing and malware attacks as well as password leaks, social engineering Tesla employees, or compromising the owner’s email account.
While I’m not blowing off the security weakness and potential flaws, even if the Tesla account password was cracked or stolen, it would allow an attacker to control the iOS app; that means a crook could unlock the car and steal the contents, but not steal the Tesla itself. A Tesla Model S requires a key fob to be present in order for the car to be driven.
Now compare that to an “untraceable” device that can be built for a mere $20 and could grant attackers wireless control of a car.
Alberto Garcia Illera made a lasting impression on me when he gave a Def Con talk about “How to hack all the transport networks of a country.” While he’s given several other security presentations since then, you might be interested in the most recent from Black Hat Asia in Singapore. Illera, along with security consultant Javier Vazquez Vidal presented “Dude, WTF in my CAN!”
The Spanish duo created a device that is small enough to fit in the palm of your hand and is built from unremarkable, off-the-shelf components. Even if the device were discovered after being connected to a car, it “wouldn’t necessarily provide clues as to who planted it.” In fact, according to Vazquez Vidal, “It’s totally untraceable.”
The device is a CAN Hacking Tool that “attaches via four wires to the Controller Area Network or CAN bus of a vehicle, drawing power from the car’s electrical system and waiting to relay wireless commands sent remotely from an attacker’s computer.” Vazquez Vidal told Forbes’ Andy Greenberg, “It can take five minutes or less to hook it up and then walk away. We could wait one minute or one year, and then trigger it to do whatever we have programmed it to do.”
Although they gave the same talk at Def Con 21, they upgraded their CAN Hacking Tool (CHT) for Black Hat Asia. Instead of communicating via Bluetooth, which limited wireless attacks to within a few feet of the device, now it can communicate via GSM cellular radio. Put another way, the new-and-improved tool could allow attackers “to control the device from miles away.”
Both where the device could be attached to the car as well as the commands an attacker could carry out depend upon the vehicle’s make and model. In some cases, connecting the device to a vehicle was as easy as crawling underneath. Other times, they had to gain access to the trunk or under the hood. Although they carried out prank-like hacks, such as rolling down the windows or setting off alarms, they suggested [pdf], “A bad guy could bring out an accident” making it look like “the driver lost the control of his own car.”
That might sound a bit far-fetched, but then again…last year a former government cybersecurity expert said that car hacking, a cyberattack, was a possible theory behind the crash that that killed journalist Michael Hastings.
Below is a video of the duo’s Def Con presentation, but if car hacking interests you like it does me, then you might want to check out these related articles:
Remote attacks to hack and set cars to self-destruct?
Busted! Your car's black box is spying, may be used against you in court
'War Texting' SMS attack to steal a car or control SCADA systems?
You can also check out the original presentation "Dude, WTF in my CAN!" [pdf]