Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


How to Steal a Tesla Car, the Android App Edition

tesla-car-android-app-stealing-tesla

An Android app is enough to locate, unlock, and steal a Tesla car. This is what researchers at Promon succeeded to prove just by using a single application.

Our researchers have demonstrated that because of lack of security in the Tesla smartphone app, cyber criminals could take control of the company’s vehicles, to the point where they can track and locate the car in real-time, and unlock and drive the car away unhindered.

Perhaps you know that every Tesla model has an application for both Android and iOS that enables owners to perform various activities, like locating the vehicle, flashing its lights to find it in a parking lot, etc. These features are surely handy, but they can also be leveraged by malicious hackers. As a result, your Tesla can easily be stolen.

Related: Foxconn Firmware in Android Devices May Allow Backdoor Access

One thing should be clear from the beginning – such a hack can take place only if the Tesla owner has downloaded a malicious application on an Android device. In other words, tech-savvy users who monitor their online activities would not end up with their car being stolen. At least not this way.

Get a Free Meal – Get Your Tesla Stolen

The whole hack is based on attacking and taking over the Tesla app.

In the example illustrated by the researchers, an application was advertised that offers the Tesla owner a free meal at a nearby restaurant. Once the owner of the car clicks on the ad, he is redirected to the Google Play Store. This is where the malicious app is displayed.

Once the app is installed, it gains root control over the device and replaces the original Tesla app. When the app is started, the user will be prompted to enter his username and password. The compromised app will then send the user data to the attackers’ server. The attacker is then “free” to steal the Tesla, simply by making a few HTTP requests, the researchers explain.

Related: IoT Thermostat Hack Ends with Ransomware Infection

How Can the Tesla Android App Be Improved?

The researchers point to the OWASP Mobile Security Project’s Top Ten Mobile Risks for 2014, for starters.

These are their conclusions:

  • The application should detect that it has been modified.
  • The authentication token should not be stored in clear text.
  • The security of the authentication can be improved by requiring two-factor authentication.
  • The app should provide its own keyboard for entering the username and password. Otherwise, malicious third party keyboards can act as keyloggers to obtain the user’s credentials.
  • The app should be protected against reverse engineering.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.