Hacking a Tesla Model X with a DJI Mavic 2 drone equipped with a WIFI dongle

Pierluigi Paganini May 02, 2021

A security duo has demonstrated how to hack a Tesla Model X’s and open the doors using a DJI Mavic 2 drone equipped with a WIFI dongle.

The scenario is disconcerting, hackers could use a drone to fly on your Tesla Model X and open the doors, a couple of researchers demonstrated.

The researchers Kunnamon, Inc.’s Ralf-Philipp Weinmann and Comsecuris GmbH’s Benedikt Schmotzle have discovered remote zero-click flaws in the vehicle and exploited them using a DJI Mavic 2 drone equipped with a WIFI dongle.

The vulnerabilities reside in the ConnMan open-source software component used in Tesla cars, the experts explained that they have exploited them to “compromise parked cars and control their infotainment systems over WiFi.”

The duo called the hack TBONE and presented it at the CanSecWest 2021 Conference, below the video of the presentation:

Weinmann and Schmotzle explained that the ConnMan is also widely used in infotainment systems of other carmakers, for this reason they engaged German CERT and other actors of the automotive industry. A new version of ConnMan (v1.39) has been released in February 2021.

“Looking at the fact TBONE required no user interaction, and ease of delivery of the payload to parked cars, we felt this attack was ‘wormable’ and could have been weaponized”, says Kunnamon CEO Ralf-Philipp Weinmann. “Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however.”

The duo was planning to present the attack at the PWN2OWN 2020 hacking contest, but since it was moved online due to the COVID19 pandemic they opted to privately report the issues to the carmaker.

Going into details the vulnerabilities could be exploited by remote attackers to compromise parked cars gain control of the infotainment system over WIFI, then it is possible to lock/unlock the trunk and doors, modify seat positions and steering/acceleration modes, and change air conditioning settings and temperature.

“It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes – in short, pretty much what a driver pressing various buttons on the console can do. This attack does not yield drive control of the car though.” reads the post publishe by the experts.

The good news is that the vulnerabilities cannot be exploited by attackers to take remote control of the vehicle.

“We emulated Tesla’s ConnMan entirely in our own emulator – KunnaEmu. KunnaEmu’s emulation is accurate enough to allow for the exploit to be successful as-is on actual Tesla hardware.”, concluded Dr. Weinmann. “Automotive manufacturers can scale up their software testing and remediation pipelines by orders of magnitude by using KunnaEmu. Our mission at Kunnamon is to bring the power of cloud computing and emulation for testing embedded automotive systems, at scale.”

Tesla is yet to provide a comment on the researchers’ findings.

It is not the first time that hackers demonstrated the hack of a Tesla, in November 2020, a team of researchers from the Computer Security and Industrial Cryptography (COSIC) group at the KU Leuven University in Belgium demonstrated how to steal a Tesla Model X in minutes by exploiting vulnerabilities in the car’s keyless entry system.

In July 2019, the security researcher Sam Curry has earned $10,000 from Tesla after reporting a stored cross-site scripting (XSS) flaw that could have been exploited to obtain vehicle information and potentially modify it.

In March 2019, during the Pwn2Own 2019 hacking competition, the security experts Amat Cama and Richard Zhu of team Fluoroacetate, earned $35,000 for their exploit, along with the Tesla they hacked. The white hat hackers managed to display a message on the car’s web browser by exploiting a just-in-time (JIT) issue in the renderer component.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tesla)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment