This was the result of a study conducted last year by Ralf-Philipp Weinmann of Kunnamon and Benedikt Schmotzle of Comsecuris. Analysis was initially conducted at the Pwn2Own 2020 hacking competition – the competition offered a car and other important Tesla hacking prizes – but the latest findings were reported to Tesla on its bug bounty program after Pwn2Own organizers decided to temporarily terminate the car category due to coronavirus.
The attack, called TBONE, involves the exploitation of two issues involving ConnMan, an Internet connection manager for embedded devices. An attacker can use these errors to completely control Tesla’s infotainment system without user interaction.
In this attack, the hacker can use any function that the user can perform in the infotainment system. These include opening doors, changing accommodations, playing music, controlling the atmosphere, and adjusting direction and acceleration. However, the researchers explained, “This attack does not give control of the vehicle.”
It demonstrated how an attacker can use a drone to launch a Wi-Fi hack into a stationary vehicle and open its doors at a distance of up to 100 meters. They said the exploitation was used on Tesla S, 3, X, and Y models. “Adding an escalation of climbing rights such as CVE-2021-3347 to TBONE would allow us to download new Wi-Fi firmware from Tesla’s car, making it an access point that could be used to exploit other Tesla vehicles entering the victim’s car. We did not want to equip the disease into a worm, however,” said Weinmann.
Tesla has taken risks with the renewal in October 2020 and has reportedly stopped using ConnMan. Intel has also been notified as the company is the first builder of ConnMan, but the producer believes it is not his responsibility.
Investigators found that the ConnMan component is widely used in the automotive industry, which does mean that similar attacks could be launched on other vehicles as well. Investigators also described their findings at a CanSecWest conference earlier this year. That presentation includes a video of them hacking Tesla using a drone.
Weinmann and Schmotzle turned to German national CERT for help in informing potential retailers, but it is not yet clear whether other manufacturers will take action on the researchers’ findings.
By Vedant Soni
Campus Ambassador, WCSF