How Tesla should have protected its app – instead of blaming the user

A security company has shown how easy it is for a hacker to take over a Tesla car via its owner’s mobile app. Tesla says it is the user’s own fault if she is hacked, but Bjørn Søland, internet of things expert at identity and security company Nexus Group, does not agree.

Last week one of my Nexus colleagues sent me an early morning email about the latest Tesla hack, performed by the Norwegian application security company Promon. One of the things the hack revealed was that the OAuth token (a piece of data that works like your car key) is stored in plain text – no encryption and easy to find.

OAuth is an open standard for authorization, often used to authorize websites or applications to access users’ information from other websites or applications, without giving them the passwords. With access to the OAuth token the attacker can unlock and track the car. To actually steal the car, the attacker just needs to force the user to login – and that takes just a few additional code lines in the hacker’s malware.

As a previous employee of Promon I am well updated on the (lack of) security efforts companies put into their mobile apps and on what response to expect from them.  A Tesla spokesperson said, “Tesla has never received a report of any car being stolen through a compromised app,” and offered this statement:

“The report and video do not demonstrate any Tesla-specific vulnerabilities. This demonstration shows what most people intuitively know – if a phone is hacked, the applications on that phone may no longer be secure. The researchers showed that known social engineering techniques could be employed to trick people into installing malware on their Android devices, compromising their entire phone and all apps, which also includes their Tesla app. Tesla recommends users run the latest version of the mobile phone operating system.”

But wait! Is this really the users’ problem? One could suspect that Tesla blames the users for being plain stupid, so let’s take a look at what users can do to protect themselves:

According to the security researchers at Promon, the malware for the Tesla hack was downloaded from Google Play. As Google Play is an official app store, I would argue that the hypothetical user did the right thing: she trusted an official app store. Using a trick that included offering free WI-FI and a free burger, the researchers fooled the user to download malware which used a local privilege escalation attack to control the victim’s mobile phone.

A privilege escalation is the act of exploiting a vulnerability in the operating system to gain elevated access to resources that are normally protected from an application or user. The end result in this case is so called root access, which enables the attacker to control the device. As this vulnerability affects all old Android versions including version 5.1, we are talking millions and millions of devices.

As of November 2016, 0.3 percent of all Android devices use Android 7 from 2016, and 24 percent use Android 6 from 2015, according to the Android Developer dashboard. This means that 75 percent of all Android devices are using versions that are vulnerable to Promon’s attack.

Most phone manufacturers do not update the device years after it is sold, which means that most Tesla owners will use old Android versions. In other words: Tesla recommends their customers to update their phones and that is something they cannot do – even if they try extremely hard. This, combined with Tesla’s failure to make the OAuth token useless outside the owner’s phone and the lack of app integrity protections, makes me wonder: who is to be blamed?

In this case, it is not the user who puts the car key under the metaphorical door mat – it is Tesla.

Tesla is a prominent world leader when it comes to using internet of things (IoT) technology, and I am sure they have spent more money on security than most and that they will solve this problem. But for the rest of the world, here is my list of recommendations:

  • If you sell a product that breaks because a user cannot see the difference between a malicious link and a good one – do not sell it. Users are supposed to click on links. It is standard functionality in all browsers and email clients.
  • Expect that the user’s device is infected.
  • Making a mobile authentication system really secure is difficult – buy it from a company that has made it its core business (that is, call me).
  • Make sure that the mobile authentication app modules you buy have proper integrity protections at rest (that is, make sure the app code is extremely difficult to understand).
  • Add security features that protect the app’s integrity when it executes.
  • Make sure that every app has its own keys – never use a single global key. This is best accomplished with a scalable public key infrastructure (PKI).
  • Bind the app to the phone – it should not be possible to use a stolen security token in another device.
  • Think security by design – adding it later because you are in trouble is painful.

Bjørn Søland, internet of things expert at Nexus Group.