The attack combines social engineering and with a privilege escalation attack.
The attack combines social engineering and with a privilege escalation attack.

Tesla's security reputation has once again been challenged after researchers at the Norwegian security firm Promon developed an attack designed to exploit common vulnerabilities in Android phones to steal Teslas.

The attack combines social engineering with a privilege escalation attack, using a free Wi-Fi hotspot near banks of Tesla charging ports to offer Tesla owners a free burger at a nearby restaurant if they download a free app to their Android mobile devices, according to a Nov. 23 blog post.

The app is actually malware designed to exploit common Android vulnerabilities to access and manipulate the Tesla app on the user's device to send the app's login credentials to the attacker by sending an HTTP request to the Telsa server in order to obtain an OAuth token.

This effectively allows the threat actor to locate the vehicle, unlock the doors, and then enable keyless driving and full control of the vehicle without the key fob present.

Researchers said the electric car manufacturer could improve the security of the Tesla app by enabling the app to detect when its being modified, not storing the authentication token in clear text, using two-factor authentication, and enabling the app to provide its own keyboard for entering credentials, and protect against reverse engineering.

“While most of these should not be necessary if one could trust the user's device to not be compromised, the reality is that most Android users are at risk because the latest Android version is not available to them,” researchers said in the post. “With mobile phones now an everyday item, the ideal of safe usage can always be compromised by human error. It is impossible to control how every single user goes about using their mobile device, whether you are a car manufacturer, a retailer or a bank.”

A Tesla spokesperson told SC Media that the attack involves a well known Android flaw and has nothing to do with the automaker itself.

"This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure," the spokesperson said. "The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app."

They went on to recommend that users always run the latest software on their devices.