Tesla vehicles by default connect to any WiFi hotspot with SSID Tesla Service… This is very handy for hacking. The password is specified in the .ssq file that comes with the car, or you can find it on the Internet (see the screenshot under the cut).

Thus, you can connect the car to your fake hotspot. Then exploit vulnerabilities in software – and gain control over some functions. In fact, everything is quite simple: such tricks are shown at every hacker conference.

The problem is that critical vulnerabilities are not only in Tesla, but in almost all modern cars… It’s just that Tesla offers big prizes for reporting bugs, so this information is published in the media. The rest of the cars are hacked in silence.

Hack Tesla

Twitter profile with password for Tesla Service

The last hacking conference PWN2OWN 2020 was canceled, so the authors have just published their report on hacking Tesla. They wrote Comsecuris exploit exploiting two vulnerabilities in the ConnMan daemon… This is the standard Linux connection manager. In particular, a buffer overflow in the DNS forwarder and a stack infoleak in the DHCP component are exploited.

The Tesla 3 has the latest version of ConnMan 1.37, without the CVE-2017-12865 vulnerability found in version 1.34. So I had to look for new bugs. I got lucky here: the possibility of a buffer overflow was discovered in the function uncompress()…

1 static char *uncompress(int16_t field_count, char *start, char *end,
2 			char *ptr, char *uncompressed, int uncomp_len,
3 			char **uncompressed_ptr)
4 {
5 	char *uptr = *uncompressed_ptr; /* position in result buffer */
6
7 	debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
8
9 	while (field_count-- > 0 && ptr < end) {
10 		int dlen; /* data field length */
11 		 int ulen; /* uncompress length */
12 		 int pos; /* position in compressed string */
13 		 char name[NS_MAXLABEL]; /* tmp label */
14 		 uint16_t dns_type, dns_class;
15 		 int comp_pos;
16
17 		 if (!convert_label(start, end, ptr, name, NS_MAXLABEL,
18 		 &pos, &comp_pos))
19 		 goto out;
20
21 		/*
22 		 * Copy the uncompressed resource record, type, class and  to
23 		 * tmp buffer.
24 		 */
25
26 		 ulen = strlen(name);
27 		 strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
28
29 		 debug("pos %d ulen %d left %d name %s", pos, ulen,
30 		 (int)(uncomp_len - (uptr - uncompressed)), uptr);
31
32 		 uptr += ulen;
33 		 *uptr++ = '';
34
35 		 ptr += pos;
36
37 		/*
38 		 * We copy also the fixed portion of the result (type, class,
39 		 * ttl, address length and the address)
40 		 */
41 		 memcpy(uptr, ptr, NS_RRFIXEDSZ);
42
43 		 dns_type = uptr[0] << 8 | uptr[1];
44 		 dns_class = uptr[2] << 8 | uptr[3];
45
46 		 if (dns_class != ns_c_in)
47 		 goto out;
48
49 		 ptr += NS_RRFIXEDSZ;
50 		 uptr += NS_RRFIXEDSZ;

On lines 27 and 41 the function memcpy copies to clipboard uptr memory contents with a fixed size of 10 bytes (NS_RRFIXEDSZ) without checking whether the size of the output buffer matches the number of copied bytes.

In the presentation, the hackers explained that control over the ConnMan daemon gives much more power than other non-root daemons in the Tesla multimedia system: it allows you to turn off the firewall, change routing tables, load or unload kernel modules (if they are not signed).

In our case, it is enough to turn off the firewall and send the necessary commands to the computer. Of course, you cannot control a car through a multimedia system, but you can unlock the doors, change the acceleration mode, steering and other functions available from the computer control panel under Linux (there used to be Ubuntu).

Mandatory security updates

Tesla cars have an advanced computer system, and the company pays very big money (in the region of $ 300,000) to report such vulnerabilities. In fact, hackers successfully break into cars and other manufacturers, it is just that this is not always reported to the general public.

Upstream Security publishes an automotive vulnerability report annually. Latest report 2021 Global Automotive Cybersecurity Report contains information on over 200 security incidents from 2010 to 2020.

Here are the statistics on attack vectors over the years:

Remote hacking accounts for 80% of attacks today, and physical penetration – 20%. Cloud services are the main vector.

In June 2020, the UN adopted a common security regulation for transport: UNECE WP.29 Cybersecurity. In 2021-2022, these regulations will be considered in several countries, and in 2023-2024 wider adoption is expected around the world. The first regulation is called Cybersecurity and Cybersecurity Management Systems (CSMS). For the latest version, see here…

The CSMS document contains information on cybersecurity threats and lists a large number of vulnerabilities and attack methods. Appendix 5 – ten pages describing vulnerabilities in several categories… The first table briefly lists six types of threats with different types of vulnerabilities (29 are listed) and examples (67).

The following table summarizes measures to mitigate cybersecurity threats inside and outside the vehicle.

The main discussion is now around notifying about new vulnerabilities as quickly as possible – and quickly releasing patches that are sent over the Internet and instantly installed on all powered cars. But it is absolutely clear that urgent critical updates in modern cars cannot be done without …

Cloud services, proximity keys via radio protocol, OBDII port, mobile applications for car control, USB and SD ports, Bluetooth, Wi-Fi, built-in modem, sensors, numerous connections via telematics systems and cloud services that work in the car, built-in multimedia system with a computer in the salon. This is too large an attack surface …

Probably, in the future, such “amenities” will be included in the standard equipment of all cars.

PS GlobalSign already Issuing safety certificates for 25 years for various industries. Check out our interactive 25th Anniversary page.