The rise in popularity of cryptocurrencies lately has come with several instances of widespread hacking efforts to hijack computing power in order to mine cryptocurrencies, which is sometimes referred to as “cryptojacking”.
Tesla was apparently also the victim of such a cryptojacking effort.
In a blog post published today, cloud security firm Redlock reports that they found the attack and reported it quickly to Tesla.
The automaker has reportedly fixed the issue. We reached out to the company for a comment and will update if we get an answer.
Update: Tesla sent us the following statement about the situation:
“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”
Redlock describes the attack:
“The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.”
It’s not clear what telemetry data was exposed exactly, but it looks like the hackers might not have been after the data. Instead, they installed a program for crypto mining from within one of Tesla’s Kubernetes pods.
Redlock has discovered other similar attacks against other large companies like Aviva and Gemalto, but the firm notes that the attack against Tesla was more sophisticated and involved several evasion techniques:
- Unlike other crypto mining incidents, the hackers did not use a well known public “mining pool” in this attack. Instead, they installed mining pool software and configured the malicious script to connect to an “unlisted” or semi-public endpoint. This makes it difficult for standard IP/domain based threat intelligence feeds to detect the malicious activity.
- The hackers also hid the true IP address of the mining pool server behind CloudFlare, a free content delivery network (CDN) service. The hackers can use a new IP address on-demand by registering for free CDN services. This makes IP address based detection of crypto mining activity even more challenging.
- Moreover, the mining software was configured to listen on a non-standard port which makes it hard to detect the malicious activity based on port traffic.
- Lastly, the team also observed on Tesla’s Kubernetes dashboard that CPU usage was not very high. The hackers had most likely configured the mining software to keep the usage low to evade detection.
When it comes to being hacked, whitehat hackers have help Tesla on several occasions by attacking its products in order to find vulnerabilities, but they always disclose the hack to the company before making it public and never use the breach nefariously.
Though Tesla was also hacked by blackhat hackers in the past. In 2015, a hacker took control of Tesla’s website and Twitter account, as well as Elon Musk’s Twitter account.
Again, we don’t know the extent of the data breach and it might be nothing, but it doesn’t hurt to change your Tesla account password every now and again. So now might be good timing.
Update: as per statement added above, it sounds like they didn’t get any customer data.
Subscribe to Electrek on YouTube for exclusive videos and subscribe to the podcast.