Tesla Model 3 car was hacked from a multicopter (for entertainment), source
Tesla cars by default connect to any WiFi point with an SSID
Tesla Service
. This is very handy for hacking. The password is specified in the .ssq file that comes with the car, or you can find it on the Internet (see the screenshot under the cut).
Thus, you can connect the car to your fake hotspot. Then exploit vulnerabilities in software - and gain control over some functions. In fact, everything is quite simple: such tricks are shown at every hacker conference.
The problem is that critical vulnerabilities exist not only in Teslas, but in almost all modern cars.... It's just that Tesla offers big prizes for reporting bugs, so this information is published in the media. The rest of the cars are hacked in silence.
Hack Tesla
Twitter profile with password for Tesla Service
The latest hacking conference PWN2OWN 2020 was canceled, so the authors have just published their report on hacking Tesla. They wrote a Comsecuris exploit that exploits two vulnerabilities in the ConnMan daemon . This is the standard Linux connection manager. In particular, there is a buffer overflow in the DNS forwarder and a stack infoleak in the DHCP component.
The Tesla 3 has the latest version of ConnMan 1.37, without the CVE-2017-12865 vulnerability found in version 1.34. So I had to look for new bugs. We got lucky here: the possibility of a buffer overflow was discovered in a function
uncompress()
.
1 static char *uncompress(int16_t field_count, char *start, char *end,
2 char *ptr, char *uncompressed, int uncomp_len,
3 char **uncompressed_ptr)
4 {
5 char *uptr = *uncompressed_ptr; /* position in result buffer */
6
7 debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
8
9 while (field_count-- > 0 && ptr < end) {
10 int dlen; /* data field length */
11 int ulen; /* uncompress length */
12 int pos; /* position in compressed string */
13 char name[NS_MAXLABEL]; /* tmp label */
14 uint16_t dns_type, dns_class;
15 int comp_pos;
16
17 if (!convert_label(start, end, ptr, name, NS_MAXLABEL,
18 &pos, &comp_pos))
19 goto out;
20
21 /*
22 * Copy the uncompressed resource record, type, class and \0 to
23 * tmp buffer.
24 */
25
26 ulen = strlen(name);
27 strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
28
29 debug("pos %d ulen %d left %d name %s", pos, ulen,
30 (int)(uncomp_len - (uptr - uncompressed)), uptr);
31
32 uptr += ulen;
33 *uptr++ = '\0';
34
35 ptr += pos;
36
37 /*
38 * We copy also the fixed portion of the result (type, class,
39 * ttl, address length and the address)
40 */
41 memcpy(uptr, ptr, NS_RRFIXEDSZ);
42
43 dns_type = uptr[0] << 8 | uptr[1];
44 dns_class = uptr[2] << 8 | uptr[3];
45
46 if (dns_class != ns_c_in)
47 goto out;
48
49 ptr += NS_RRFIXEDSZ;
50 uptr += NS_RRFIXEDSZ;
In lines 27 and 41, the function
memcpy
copies the
uptr
contents of memory into the buffer with a fixed size of 10 bytes (
NS_RRFIXEDSZ
), without checking whether the size of the output buffer matches the number of copied bytes.
In the presentation, the hackers explained that control over the ConnMan daemon gives much more power than other non-root daemons in the Tesla multimedia system: it allows you to turn off the firewall, change routing tables, load or unload kernel modules (if they are not signed).
In our case, it is enough to turn off the firewall and send the necessary commands to the computer. Of course, you cannot control a car through a multimedia system, but you can unlock the doors, change the acceleration mode, steering and other functions available from the computer control panel under Linux (there used to be Ubuntu).
Mandatory security updates
Tesla cars have an advanced computer system, and the company pays very big money (in the region of $ 300,000) to report such vulnerabilities. In fact, hackers successfully break into cars and other manufacturers, it is just that this is not always reported to the general public.
Upstream Security publishes an automotive vulnerability report annually. The latest 2021 Global Automotive Cybersecurity Report contains information on over 200 security incidents from 2010 to 2020.
Here are the statistics on attack vectors over the years:
Remote hacking today accounts for 80% of attacks, physical penetration - 20%. Cloud services are the main vector.
In June 2020, the UN adopted a common security regulation for transport: UNECE WP.29 Cybersecurity. In 2021-2022, these regulations will be considered in several countries, and in 2023-2024 wider adoption is expected around the world. The first regulation is called Cybersecurity and Cybersecurity Management Systems (CSMS). See here for the latest version .
The CSMS document contains information on cybersecurity threats and lists a large number of vulnerabilities and attack methods. Appendix 5 contains ten pages describing vulnerabilities in several categories . The first table briefly lists six types of threats with different types of vulnerabilities (29 are listed) and examples (67).
The following table summarizes measures to mitigate cybersecurity threats inside and outside the vehicle.
The main discussion is now around how to notify about new vulnerabilities as quickly as possible - and quickly release patches that are sent via the Internet and instantly installed on all vehicles that are turned on. But it is quite clear that urgent critical updates in modern cars cannot be done without ...
Cloud services, proximity keys via radio protocol, OBDII port, mobile applications for car control, USB and SD ports, Bluetooth, Wi-Fi, built-in modem, sensors, numerous connections via telematics systems and cloud services that work in the car, built-in multimedia system with a computer in the salon. This is too large a surface of attack ...
Probably, in the future, such "amenities" will be included in the standard equipment of all cars.
PS GlobalSign has been issuing safety certifications for various industries for 25 years . Check out our interactive 25th Anniversary page.