Software Integrity Blog


Researchers hijack automotive mobile apps

Last month researchers demonstrated how a mobile app for Tesla–or any other connected car — can be hacked, enabling criminal hackers to locate, unlock, and potentially steal a Tesla vehicle.

Researchers from Promon disclosed a vulnerability in the mobile app used by Telsa customers to access their vehicles. According to the researchers this attack is not Tesla specific, and can be used against any automotive app, “however, the Tesla app did not offer any kind of resistance which would require time-consuming effort to exploit.”

The problem? The OAuth token, an end-user access token, is stored in plain text. This, they said, is enough to locate, track, and unlock the car. To drive away with it, you need the username and password associated with the vehicle. The researchers noted that malware could easily hijack the credentials out of the app to a server of their own.

The researchers also said they will not distribute or otherwise make available the tools, or attack software used in the demonstration. They did, however, provide a video demonstration on YouTube.


More by this author