How to Hack a Tesla Model S Using "Free Burgers"

Hot to Hack a Tesla Model S Using "Free Burgers" 5 photos
Photo: YouTube screenshot
Hot to Hack a Tesla Model S Using "Free Burgers"Hot to Hack a Tesla Model S Using "Free Burgers"Hot to Hack a Tesla Model S Using "Free Burgers"Hot to Hack a Tesla Model S Using "Free Burgers"
A few months ago, we demonstrated that any car with a smart key fob is vulnerable to being broken into or even stolen altogether. All you need is a signal booster. But when it comes to a connected car like the Tesla Model S, all you need is free burgers and Wi-Fi. What?
A research company named Promon is trying to explain that the Tesla Model S is vulnerable to hacking via Android Apps. But it's actually much simpler than that.

They aren't proving that the app developed by Tesla is the vulnerable, even though it probably is in some way. No, the weak link here is the human and his insatiable appetite for... burgers.

The supposed hackers created a free and open Wi-Fi hotspot, promising a meal at the nearby burger shop to anybody willing to install a particular app on their phone. This, in turn, is actually malware. So when the owner of the Tesla uses his Android app to check on his car, the username and password are revealed.

“The actions are performed by sending an HTTP request to the Tesla server. All the requests need to provide an OAuth token. This token is obtained by authenticating using the username and password. The first time the user logs into the Tesla app, the token is obtained and then stored in cleartext in a file in the app’s sandbox folder. When the app is restarted, the token is read and used for subsequent requests,"
Promon explains.

In truth, this vulnerability has nothing to do with Tesla. Using a similar method, you could take advantage of OnStar to unlock something as basic as a Corsa.

There are some things you can do to protect yourself. For example, disabling the keyless start function of the car. And if you are wealthy enough to own a Tesla Model S, do you need free Wi-Fi? I would never trust a public hotspot like that.

The Android app is another thing. Never install an app before reading the comments first, because they can tell you if it contains malware. An antivirus program wouldn't hurt either. And lastly, never use the same password for everything. From Yahoo Mail to the iClous, everything has been hacked already, with millions of accounts bought and sold by people with dubious intentions.

If you liked the article, please follow us:  Google News icon Google News Youtube Instagram

Editor's note: They blurred out the text, but you can see him typing "123" at the end of his password.

About the author: Mihnea Radu
Mihnea Radu profile photo

Mihnea's favorite cars have already been built, the so-called modern classics from the '80s and '90s. He also loves local car culture from all over the world, so don't be surprised to see him getting excited about weird Japanese imports, low-rider VWs out of Germany, replicas from Russia or LS swaps down in Florida.
Full profile


Would you like AUTOEVOLUTION to send you notifications?

You will only receive our top stories