back to article Grand App Auto: Tesla smartphone hack can track, locate, unlock, and start cars

A smartphone app flaw has left Tesla vehicles vulnerable to being tracked, located, unlocked, and stolen. Security experts at Norwegian app security firm Promon were able to take full control of a Tesla vehicle, including finding where the car is parked, opening the door and enabling its keyless driving functionality. A lack …

  1. adnim
    Trollface

    I realise

    that The Register would have much less to report...

    However it seems to me that reporting on SECURE apps, websites, IOT devices and Internet based services would be news. Where as reporting on INSECURE apps, websites, IOT devices and Internet based services is like reporting that the sky appears blue because of the way different wavelengths of light are scattered.

  2. Grunchy Silver badge

    My car is scandalously easy to steal: just hook a tow truck and take it away!

    My security is the fact that it's a pile of junk that nobody else would want :)

    1. Steve Davies 3 Silver badge

      They may not want it for ££££

      but the joyriders would get some fun from your pile of junk. Then they'd set fire to it just to piss off the Polis.

      Unless you are trading it in, the miserly sum you get from the scrap yards is generally far less than the the insurance will give you... nudge, nudge, wink, wink, you get my meaning.

      One way to get rid of your pile of junk not that I've done it you understand.

      1. phuzz Silver badge

        Re: They may not want it for ££££

        Must be nice, my annual insurance is more than the entire worth of the car, well, sans petrol at least.

  3. TRT Silver badge

    You don't mention...

    that the attack relies on features of Android. The iPhone app would have to be insecure by a completely different method.

    1. Voland's right hand Silver badge

      Re: You don't mention...

      Do not think so.

      The attack is basically not having multiple secuiruty levels and OAuth2 tokens for them and haivng an OAuth2 token hijackable.

      OAuth2 is retarded by design. Gimme a token, here is my authentication credentials. Here, token for you. Now you can do anything you effing want. Different auth levels? Fine grained control? Yes, we have heard of it. Some other time.

      Going back to Android vs iPhone. If a remote system access is designed around OAuth2 it will be the same for both. By the way, if I was designing this I would have gone for public crypto instead. No Man In The Middle running OAuth at Tesla central. Car, here are my credentials, sign my key. Only that key now gets access - similar to the way a car key works. Not hijackable as you have to get the private key out of the phone which at the very least needs phys access and actually can be stored on the crypto module so not hijackable at all. At least without NSA resources.

      1. Anonymous Coward
        Anonymous Coward

        Depends if the app used built-in iOS security features

        It could have the plaintext oAuth token encrypted by the OS - it would be by default unless they specified no encryption for the file in which it was kept (note this encryption is a separate layer below iOS' overall filesystem encryption)

        But if they designed the Android app without trying to take even basic security measures, they might have been equally stupid with the iOS app and chose to have the oAuth token saved without encryption.

        Makes me wonder if the communication between app and car is even encrypted? If not, who cares what the phone is doing when you can sniff the network to get what you need!

        1. TRT Silver badge

          Re: Depends if the app used built-in iOS security features

          These guys make RASP software for Android. They're experts in Android security. They found an App where the consequences of not taking a feature of Android into account are pretty rough. iOS has a different approach to common storage access. Tesla's approach to storing oAuth tokens and stuff stinks, yes, but on the iOS app they can get away with it. The article doesn't mention that Tesla's iOS app is not sensitive to this attack vector, and it brushes over the fact that ANY app can be subject to attack with varying degrees of damage.

      2. Matt Bryant Silver badge
        Facepalm

        Re: Voland's right hand Re: You don't mention...

        "OAuth2 is retarded by design...." Being so stupid as to let a phone app control your very expensive car's security is retarded by nature.

    2. Anonymous Coward
      Anonymous Coward

      Re: You don't mention...

      the attack relies on features of Android. The iPhone app....

      Regardless......what FUCKWIT thought that giving any phone full control of a near $100,000 vehicle was a good idea?

      That Elon Musk should invest some of his billions in pharmaceutical research, to find a drug that exterminates fuckwits but is harmless to those with common sense; And then he should make sure it gets put it in the public water supply. He could start with the waterworks near Tesla HQ, but after that the rest of the world might appreciate a dose.

      1. Voland's right hand Silver badge

        Re: You don't mention...

        Regardless......what FUCKWIT thought that giving any phone full control of a near $100,000 vehicle was a good idea?

        Worse than that. Full control authorized by a remote 3rd party which is @ Tesla central.

        1. You do not own your 100K+ car. Elon does. He HOLDS the keys - he issues the auth tokens.

        2. Consumer phones have had a crypto module and support for storing there strong keys since some times around Nokia N95 - mid-90es. Business specific stuff like the early XDA - since earlier. It is possible to create a secure channel between a phone and another device. F.E. Car. Even over the internet. If you DO NOT INVOLVE A 3RD PARTY. This is the design flaw here. Elon's Oauth server is the odd man out. It does not belong. It may provide you with assistance on where your car is, what it reported ONE WAY about itself, etc. It should not be the entity which authenticates you. Ever. The authentication should be simultaneous with establishing the secure channel to the car and use something which is proven to be secure and not sniffable by anyone. It should also be done mutually - the phone must authenticate the car and the car must authenticate the phone. It is a trivial RSA exchange where Elon should not be included. By design.

    3. macjules
      FAIL

      Re: You don't mention...

      I don't see how this can be accomplished on iOS at all. They state that the username/password is stored as a cleartext token on the device: is this just for Android? On iOS all usernames and passwords are stored in the Keychain, so not as accessible as these guys make out. Checked the Tesla.app and yes it does use something akin to SSKeychain.h, SSKeychain.m, SSKeychainQuery.h and SSKeychainQuery.m

      Don't know enough about Android to comment but it can not be that dissimilar to the iOS system, can it?

      Storm ≠ teacup

    4. Adam 1

      Re: You don't mention...

      I'm just glad that all the products and services that I use have proper cryptographic protection on their auth tokens and so can't possibly be vulnerable to such MitM attacks.

      I LOVE BOOGERS!

  4. RosslynDad

    That's a lot of code

    I read the line saying that a modern car has over 200 million lines of code. That struck me as being an awful lot. Does anyone who knows about these things care to confirm (and tell me where it all goes)? Thanks.

    1. JetSetJim

      Re: That's a lot of code

      I wonder what percentage contain merely curly braces (opening or closing), or if this is supposed to exclude such lines

    2. JeffyPoooh
      Pint

      Re: That's a lot of code

      200 million lines of code.

      Written to DO-178B DAL C standards, this would require approximately 100,000 coder-drone years of effort. It would also generate roughly 50 million pages of requirements traceability documentation.

      Perhaps not all of this code is safety critical. Perhaps most of it could be banged out over a weekend, in the usual manner.

      1. bazza Silver badge

        Re: That's a lot of code

        Perhaps not all of this code is safety critical. Perhaps most of it could be banged out over a weekend, in the usual manner.

        That's basically what the self driving car types are doing. Their approach is to get enough cars running incident free for long enough that they can get approval through mere statistical argument.

        It's deeply worrying that this approach may actually be accepted by regulators. Unreviewed, unprovable safety critical code with no triplicate redundancy? No thanks. A statistics-based approval ignores the possibility of a systemic date-sensitive bug lurking unnoticed in the code base that will do something very damaging at some point in the future.

        Fortunately it seems that their best efforts so far are a long, long way from being statistically acceptable.

        1. John Robson Silver badge

          Re: That's a lot of code

          I'd rather my code was shown to be better than people than proved 'correct'

          Beware of bugs in the above code; I have only proved it correct, not tried it. - Donald Knuth

    3. Richard 12 Silver badge

      Re: That's a lot of code

      The car stereo system will run a general OS, usually either an embedded/compact edition of Windows, Linux or Android. That alone is tens of millions of lines of code.

      Then there is the GUI toolkit (probably Qt these days), which is again quite large - most of that toolkit will not be actually used, but is there in the build machine.

      None of the above was written by the car or stereo system manufacturer. The part they wrote will be much smaller, and far less well tested.

      The ECU is a lot smaller, but was also built up over decades and probably is millions of lines - many of which will be cut out when building for a particular engine.

      Then there are the multitude of sensors, each of which has some code, maybe a thousand lines or so.

      So while it's not an unreasonable estimate, it is an utterly meaningless number.

    4. Anonymous Coward
      Anonymous Coward

      Re: That's a lot of code

      I read the line saying that a modern car has over 200 million lines of code. That struck me as being an awful lot.

      They probably stick the full OS and hack the bits they need to work.

    5. macjules

      Re: That's a lot of code

      Actually if you are obeying strict coding standards then there should only be one line of code. Any NodeJS/Uglify user could tell you that one ;)

  5. Crazy Operations Guy

    Going stone-age

    Been meaning to get a new car, but with security issues like this, I think I'm going to get something a bit older. A local company refurbishes classic cars that just got a whole load of old 1960's VW Type-1 Beetles, might have to pick one up...

    I have no need for A/C (Almost never gets warm enough around here), all I need from a radio is a a 3.5mm audio input jack and a USB charging port (An hour or two at a soldering iron will take care of that), and I especially don't need yet another device that needs to connect to WiFi for updates. Parts and other replacement components are extremely plentiful and easy enough to repair while stuck on the side of the road and equipped with only a few tools. Plus it doesn't need water and is immune to EMP blasts.

    1. HamsterNet

      Re: Going stone-age

      Have you any idea how easy it is to steel an old VW? Bet more of them are stollen each day than all Tesla stolen ever.

      1. Crazy Operations Guy

        Re: Going stone-age

        Yeah, but also factor in that an old VW costs around $5000 where the cheapest Tesla is $35,000*. You also have to factor in the fact that they've made 21 -million- Beetles vs only a few thousand Teslas. You would also have to factor in location as well since most Beetles are driven in poor countries where car theft is common and the police highly ineffective.

        And even if it is stolen, I think it'll be much easier for the police to find a purple bug versus a medium-gray car that looks like every other car on the road. There isn't even much motivation to steal one anyway since new parts are about the same cost as used, so scrapping it wouldn't net the thief all that much cash making the risk-reward ratio completely untenable.

        [*]A Tesla would be much more than that at the end of the day since I would need to finance a Tesla and pay interest on the loan versus paying cash for a Beetle.

        1. Ogi

          Re: Going stone-age

          You also have to take into account how obvious it is that someone is stealing a car.

          With old cars. the thief has to break a window, start hammering through the door with a screwdriver to break the lock, or otherwise obviously make a lot of noise and draw attention to themselves in order to steal a car. Ever see someone trying to break a steering lock? It is obvious a mile away what they are doing. That is ignoring the fact that even mechanically locked cars have alarm systems that make an awful din if someone starts breaking in.

          Then they have to drive the car with the broken window and holes in the door/lock, not get noticed by coppers (who are trained to notice these things), and of course not had the car reported stolen (which because they made a massive din, means either you noticed, or one of your neighbours did and reported it)

          This modern connected car can be hacked remotely, using an app, then the thief just walks up like he owns it, opens it normally, gets in and drives off.

          Not to mention with mechanical locks, you need to be in the know. Most thieves learn about different cars, their mechanical weaknesses, where exactly to hammer the screwdriver to break the lock (if you get it wrong, the mechanical failsafe engages, the lock will jam and you won't be able to do anything else to it), etc.... You even get thieves that specialise in particular makes and models.

          With connected cars, someone writes an app that does it, and sells it to wannabe criminals over the Internet, who just have to run said software/appliance, and then just drive off. Not much local training required. It is like the difference with hackers and script kiddies, except now being applied to cars.

          There are not many skilled car thieves out there, but there are a lot of "script kiddie" equivalents who can run software. Like with those BMWs a few years back. Someone smart/well_funded/skilled cracked the BMW key fob and sold an app that would allow you to start any BMW assuming you could plug a dongle into its OBD2 port. As a result people who could not normally steal cars due to lack of ability, could just buy the software + dongle, and go at it. So many BMWs were stolen that insurance companies started refusing to insure them.

          I agree with the original poster, all my cars are non-connected older cars (early 80s), and one has had many attempts to be stolen (thankfully the local yobbos don't know how to break the lock). I did retrofit alarms to the cars, and since then nobody has damaged them during their attempts.

          Due to the sheer amount of pointless electronics and software in cars, I have no interest in anything post 2005 car wise. Even some of the 90s cars were getting too electronic, but those can still be dealt with.

          1. Vic

            Re: Going stone-age

            With old cars. the thief has to break a window, start hammering through the door with a screwdriver to break the lock, or otherwise obviously make a lot of noise and draw attention to themselves in order to steal a car

            This is not true.

            A short length of plastic box strap gets you into most older cars with no fuss and no noise.

            There are not many skilled car thieves out there

            Is your name Jon Snow?

            Vic.

        2. Winkypop Silver badge
          Thumb Up

          Re: Going stone-age

          Stone-age with benefits...

          Electric VW Beetle, Fully Charged - YouTube

          https://www.youtube.com/watch?v=fXsQGWWz3Is

          A beautiful piece of kit.

      2. Anonymous Coward
        Anonymous Coward

        Re: Going stone-age

        Correct.

        Old cars were and still are insecure which is why a lot of people bought crook locks,installed immobilisers or put in their own kill switch (my favourite method of stopping car thieves, because they never knew where you put the switch)

        Steering locks were easily snapped with leverage and the ignition barrel was a joke from the plain ridiculous, starting them by wiggling a yale key, to stupid, removing the barrel or the cap at the back and using a screwdriver.

        My current car is a 10 year old ex-raf ambulance vauxhall astra with an immobiliser (Chipped up but no record of it), when it eventually goes I will probably still opt for an older car because they are easier to secure. If the software is broken there is nothing you can do about it till a fix is released and to be honest I spend too much time patching things as it is to have to do the car as well.

        1. ted frater

          Re: Going stone-age

          Ive had a super idea! why not a physical key like one has for ones home or safe?

          You push it into a small hole near the door handle turn and it opens! then use the same key into a slot ,turn to make an electrical sw. and your on your way! Oh!! havent this been done before!

          anyone who can afford a Tesla can afford to have it stolen.

          1. Charles 9

            Re: Going stone-age

            Now try doing it in the middle of a deluge or blizzard. People get so frustrated and soaked that Bad Things Happen.

            1. tiggity Silver badge

              Re: Going stone-age

              I always use the physical key to my car (even though it also came with a "remote" key fob, which sits around gathering dust as an emergency spare)

              The extra time delay in UK torrential thunderstorm deluge is fairly irrelevant - you're either already soaked or you have prepared and have wet weather clothes on.

              I dislike remotes (be it key remotes, apps whatever) for many reasons, but an infrequently mentioned one is ease of accidentally unlocking the vehicle: Similar to the classic "pocket dial" (butt dial for USians)

          2. Crazy Operations Guy

            Re: Going stone-age

            "Ive had a super idea! why not a physical key like one has for ones home or safe?"

            Yeah, except people are getting rid of those as well in favor of apps. Had a coworker of mine that had to crash on my couch for a weekend because he dropped his phone and couldn't get into his house (Bluetooth locks) or turn off the alarm (IoT app-only bullshit). They couldn't buy anything since all their cards were stored in a Bluetooth-enabled safe at home and just used Apple Wallet to pay for everything. I had to drive them since they couldn't seem to figure out how to get home without a navigation app to direct them (Traffic is terrible in the area, so the app would direct them around a lot of random side streets to avoid the congestion so never took a route enough times to get it imprinted in their mind).

      3. hplasm
        Headmaster

        Re: Going stone-age

        "Have you any idea how easy it is to steel an old VW?"

        They are 'steel' you dork. More steel in one than can be said for most modern cars...

    2. macjules

      Re: Going stone-age

      Would have thought that all your need to do is just not use the App.

    3. JeffyPoooh

      Re: Going stone-age

      Bob Pease (famous designer and author in the analog electronics field) thought that old Beetles were a good idea. His bumped into something leaving a memorial service for Jim Williams, and he was killed.

      https://en.m.wikipedia.org/wiki/Bob_Pease

      Modern safety features are exceedingly valuable. Life and death valuable. Not a good idea to dismiss their importance.

      1. Anonymous Coward
        Anonymous Coward

        Re: Going stone-age

        "Bob Pease (famous designer and author in the analog electronics field) thought that old Beetles were a good idea. His bumped into something leaving a memorial service for Jim Williams, and he was killed."

        Oh dear, I didn't know that (I was so busy I think I missed everything that happened in June 2011) and I corresponded a bit with Pease, a really nice guy.

        If I had known I'd have made my wife replace her car with an NCAP 5* one two years before I finally persuaded her.

        1. JeffyPoooh
          Pint

          Re: Going stone-age

          AC mentioned "...I corresponded a bit with Pease, a really nice guy."

          Yep, me too. I wrote him a letter and his kind reply was scrawled on my letter, which had been trimmed randomly. Endearing.

          Several of the more 'electronics' people at my office, including me, were nominally traumatized by the double loss of Jim and Bob.

  6. choleric
    Pirate

    It's not a bug...

    it's a feature. Tesla, now with Autopirate (tm).

  7. getHandle

    "..today's connected car..."

    I think I've identified the problem...

  8. Anonymous Coward
    Anonymous Coward

    All security is a compromise...

    ... between cost and usability.

    Any security can be broken - it's just a matter of time.

    Physical locks connected to mechanical systems can be bump-locked or picked or drilled.

    Physical locks connected to electrical systems can be bypassed and go straight to the electrics.

    Electronic encyrption can be cracked (especially the weak and propritary), or intercepted and modified (MitM) or just wait till the decryption has happened and intercept at that point (malware).

    Only increase the cost either in terms of resistance to attack or at the expense of the 'user experience' will help.

    And even the it doesn't prevent a battering ran on the front door or a flatbed truck with a crane from being used

    1. Anonymous Coward
      Anonymous Coward

      Re: All security is a compromise...

      Or a car-snatcher big-rig where they can just dolly and winch the car in whole.

      Or the ghetto favorite: just strip the parts from the car in situ and leave what you can't strip off in 20 seconds or less.

      Of course the preferred method can circumvent just about any method imaginable. They just steal the keys. Not much you can do at that point.

    2. Anonymous Coward
      Anonymous Coward

      Re: All security is a compromise...

      "Any security can be broken - it's just a matter of time."

      Yes, but if I have a car in a garage with ram-proof metal doors and my neighbour has an identical car on the driveway with the keys in the ignition, which one is the thief going to go for? Is a burglar going to go for my house with high rear fences, front easily visible to the neighbours, security cameras and dog, or a house backing onto fields with the front door hidden by a hedge, no alarm and no dog?

      All security is about being more secure than another, otherwise similar target.

      1. Anonymous Coward
        Anonymous Coward

        Re: All security is a compromise...

        Not necessarily. Higher security implies higher value, especially if you don't know what's inside until AFTER you get in, so adding security can DRAW thieves to you, and thieves talk to each other so know how to drug the dogs, dress like ninja, go in the middle of the night when everyone's asleep (or in the middle of the day when everyone's at work/school) and to go fast and furious so you're gone before any cops summoned by alarms and such can arrive. Out of sight, out of suspicion.

  9. ecofeco Silver badge

    DOH!

    See title

  10. patrickstar

    Obfuscating it to "protect" against reverse engineering?

    So now you have made life more difficult for legitimate security researchers whose work can benefit the collective good, working for free or atleast not with a financial incentive to find vulnerabilities in one specific thing.

    While still leaving it wide open to people with a clear financial motive to target this specifically, say organized car thieves (or rather people selling tools to them).

    Especially trying to protect against someone who has compromised the phone... WTF? Exactly what the world needs - more obfuscated code!

  11. Jess--

    Physical Key

    I once horrified a neighbour who had locked themselves out of their car by walking up to their drivers door with a bunch of random car keys and unlocking their door in under 30 seconds.

    The keys I had were spare keys from various vehicles that had been owned & scrapped by my family over about 20 years, I targeted their drivers door as that lock had the most use (and would therefore have more wear).

    about 10 seconds was spent finding a key that had the right blade shape and the last 20 seconds was spent jiggling it up and down / in & out while trying to turn it.

  12. Faszination
    FAIL

    Doesn't stealing a Tesla rely on...

    ....the thing being charged enough in the first place to actually move?!

    My local motorway service area is always full of Model S's being charged after the gruelling 10 mile journey to get there...any potential thief would be lucky to get one to move out of the charge bay, let alone out of the area.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like