The idea with the drone was not absolutely necessary, but it still makes a difference: the unmanned aircraft hovers over a parked Tesla Model X, pauses there, then a beep can be heard, the turn signals of the electric car light up briefly and one after the other both open Double doors. This demonstration was shown by two German hackers at a virtual IT conference at the end of April. Before that, they explained the gap through which they penetrated the Tesla’s infotainment system – and that vehicles from many other manufacturers were probably also affected.
Tesla paid premium for radio gap
The two Germans are professionally involved in car security and, for example, took part in the Pwn2own 2019 hacker competition, in which Tesla systems were specified as targets, among other things. Such earlier work also provided the basis for the new attack, called the T-Bone. As is usual with ethical hackers, the two of them informed Tesla about the vulnerability before the release, for which they received a bonus as part of a program. Because others did not feel responsible, the IT security experts also pointed out the problem to the rest of the industry.
In order to take control of parked Teslas, they use the fact that they are always on the lookout for a WiFi network called “Tesla Service” and log in with a permanently stored password if they find what they are looking for. This allows you to establish a connection to them – with the alleged service WiFi on board a drone, discreetly from the air, for example on a supercharger. The hackers then used a hole in an open source module called Connman used by Tesla to use several other tricks to gain access to the infotainment computer.
At Tesla, this means that you can control music and air conditioning, open windows and unlock the vehicle – but not drive away. Only with the Model X with its motorized doors at the front and rear can these be moved using a drone hack, with the remaining models (only recently with Model 3) the tailgate should also react. Or rather have reacted: Tesla has now replaced Connman with another module, according to the information in the hacker’s presentation. With their company Comsecuris, the Germans reported the gap to the “Bug Bounty” program in October 2020.
Connman software as the industry standard?
As the IT experts were amazed, Connman is also likely to be widespread in the rest of the auto industry. Genivi, an alliance for car software made up of manufacturers and suppliers, recommends the software as part of a reference platform for infotainment projects – and Bosch, among others, relies on it as an important provider in this area. In addition, Connman is standard for a special Linux version for cars. From the end of January, one of the two Tesla crackers therefore set to work on Twitter, among other things, to warn other manufacturers.
He actually wanted to leave that to the Intel security team because a company employee is the original author of Connman, as the presentation says. But the chip manufacturer declared that it was not responsible – after three months. After inter alia the “German CERT” (which should mean the CERT-Bund, a central body for reactions to IT emergencies), a new Connman version was published in February without the loophole. Nevertheless, the discoverers advise against using this software help at all, because it is simply “an invitation to problems”.