A drone flies over a Tesla Model X, and the doors open automatically after a little less than a minute. The security researchers Ralph-Philipp Weinmann and Benedikt Schmotzle from Comsecuris present how they penetrate the vehicle's control system with a security hole called Tbone Connman.
The Tesla vehicles use a WiFi network with a WiFi key preset in the firmware. Hacking a Tesla with WLAN had already been documented by security researchers a few years ago, and we at Torque News warned about it in 2013, writing how Tesla Model S remote access may let hackers mess with car.
WiFI vs WLAN
Both Wi-Fi (wireless fidelity) and WLAN (wireless local area network) mean the same — they both refer to a wireless network that can transfer data at high speeds. ... The software also shows the connected computers and devices that are accessing Internet through your Wi-Fi hotspot.
An embedded Linux system runs on the vehicles. A software called Connman is used for the network configuration on the vehicles. Weinmann and Schmotzle from Germany searched Connman with the American Fuzzy Lop (AFL) fuzzing software for security gaps in the processing of DNS requests and quickly found what they were looking for.
Thei Tesla drone exploit uses a combination of a stack buffer overflow when processing DNS requests (CVE-2021-26675) and a loophole in the DHCP stack (CVE-2021-26676) that allows parts of the memory to be read. This makes it possible to execute malicious code on the vehicles.
Controlling the vehicle yourself is not possible during the attack. A separate embedded system is used for this.
The attack could be expanded into a malware worm. It would be possible to use a local root exploit to gain complete control of the embedded Linux and then connect to other vulnerable Tesla vehicles via WLAN and control them as well.
The security holes in Connman have now been closed in version 1.39. According to the discoverers, other automakers also use Connman, and the manufacturers have been informed about the CERT-Bund since January. Tesla closed the relevant loophole in October 2020.
Tesla Drone Exploit Was Developed in an Emulator
The discoverers didn't need a real Tesla to analyze the vulnerabilities and develop the exploit. They used a software called Kunnaemu, in which such embedded systems can be emulated.
A technical background paper describes the details of the vulnerabilities and the exploit. The results were also presented in a lecture at the Cansecwest IT security conference , which was held as an online conference due to the Covid19 pandemic.
Speaking of software, see how amazing Tesla's new FSD software update is going to be. What do you think about hacking a Tesla remotely and its security?
Watch their drone hack, using a DJI Mavic 2 and a Tesla Model X, in action from 36 minutes into their technical talk.
Armen Hareyan is the founder and the Editor in Chief of Torque News. He founded TorqueNews.com in 2010, which since then has been publishing expert news and analysis about the automotive industry. He can be reached at Torque News Twitter, Facebok, Linkedin and Youtube.