The instrument panel of a Tesla Model S at a store in Brooklyn in September 2016. (Christopher Goodney/Bloomberg)
Tesla’s smartphone app provides a range of conveniences for owners of its luxury electric vehicles including checking charging status, guidance to the cars in crowded parking lots and even opening the doors remotely without a key fob. But should an owner’s smartphone get hacked, the app can also be used by thieves to steal a Model S or Model X , according to a Norwegian cybersecurity firm.
Oslo-based Promon claims that there is an insufficient level of security in Tesla’s app to prevent smartphone hackers from locating a vehicle, unlocking its doors and driving away in keyless mode. Founder and CTO Tom Lysemose Hansen said in a statement that Promon’s testing scenario goes beyond the demonstration of a flaw revealed by Tencent’s elite KEEN team, which in September showed it could hack into the controller area network system, or CAN bus, of a Model S to unlock the doors, open the trunk and depress the brakes while the car was in motion. Tesla sent a software patch to fix that flaw within days of the demonstration.
“Our test is the first one to use the Tesla app as an entry point, and goes a step further by showing that a compromised app can lead directly to the theft of a car,” Hansen said. Promon’s specialty is app security.
In a blog and video posted on its corporate site, Promon showed how it set up a free wi-fi hotspot near a Tesla Supercharger station and ran a promotion offering free hamburgers to people that created accounts on its network. Promon then loaded malware onto mobile devices of the hotspot users to gain access to usernames and login details for Tesla app owners. While this approach would also allow hackers to access banking apps, email accounts and other sensitive information on smartphones, the highly web-connected nature of Teslas is unique among auto brands.
“By moving away from having a physical car key to unlock the door, Tesla is basically taking the same step as banks and the payment industry. Physical tokens are replaced by ‘mobile tokens,'” Hansen said. “We strongly believe that Tesla and the car industry need to provide a comparable level of security, which is certainly not the case today.”
Promon said it is in “close dialogue” with Tesla. A company spokeswoman said Tesla is aware of Promon’s claims. The report and video do not demonstrate any Tesla-specific vulnerabilities, and there are no reports of attempts to steal one of its vehicles by someone hacking the app, the spokeswoman said.
“This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure,” Tesla said in a statement. “The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of their mobile operating system.”
If recent history is any guide, a move by the carmaker to add a security patch to minimize any potential risk of abuse of its app by hackers would be entirely in line with expectations.