Connected cars, like Tesla’s vehicles, are the latest fashionable device for hackers to crack. As we’ve previously discussed, if done right this is actually making the vehicles safer, but we need to walk the line between that and fear-mongering very carefully.
A group of hackers from Norway failed to do just that today in releasing what they claim to be a way to steal a Tesla with a software hack, when in fact their claim amounts to nothing more than stealing the key and driving away with it like you would with any other vehicle.
In a release about their alleged exploit, the group of security researchers, called ‘Promon’, claims:
“Our researchers have demonstrated that because of lack of security in the Tesla smartphone app, cyber criminals could take control of the company’s vehicles, to the point where they can locate, unlock and drive the car away unhindered.”
That’s a misleading statement. The “lack of security in the Tesla smartphone app” is actually a weakness in Android software, a flaw which has been patched in the latest version.
In the video released by the hackers, they make a big deal of how they used this weakness, especially to take control of a Tesla Model S:
But the truth is that they took control of the owner’s phone with outdated software. By taking control of his phone, they could trick him into logging into a fake or modified Tesla app and get all of his login information, but the exploit was on the operating system of the outdated Android software, not on the app.
This may be frightening at face value, but the demonstration is misleading. The hacker never actually exploited a weakness in Tesla’s software. A Tesla spokesperson sent us the following statement regarding the hack:
The report and video do not demonstrate any Tesla-specific vulnerabilities. This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure. The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system.
That’s the main point to consider with the hack demonstrated by Promon. Unfortunately, the group decided to present it in a way that implies a failure of Tesla’s app, and not of the phone itself or of the user who fails to update their phone. That might have to do with the fact that the group is trying to sell a software product to app developers that they claim would prevent such a hack from happening on the app side.
Even though two Tesla vehicles were mysteriously stolen earlier this year in Germany, it’s a rare event since the car is always connected and can be fairly easily located. Tesla told us today that they are not aware of any Tesla vehicle stolen as a result of being hacked.