Promon, a Norwegian mobile app security testing firm, has shown that Tesla are so vulnerable that a hacker would be able to find unlock and steal a car. The Tesla mobile app is increasing the risk of smartphone enabled Grand Theft Auto.
Footage released by Promon shows their experts hacking into the smartphone app and taking control of a car. In the footage their experts locate the position of the car, open it and turn on keyless use of the car. This issue highlights the importance of mobile app security testing, and the consequences of our increasing reliance on poorly secured IoT devices.
One attack vector involves setting up a WiFi hotspot close to a Tesla charging point. When a Tesla owner uses the app it redirects to a page where the hacker sends an ad to the user, for example a voucher for a free meal. Once the user clicks the ad and downloads the app, the mobile device falls under the control of the hackers who exploit the Tesla app.
According to Tom Lysemose Hansen, founder and CTO at Promon, “Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue. Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory, any app without the necessary protection in place could be affected.“
Hansen believes that this scenario indicates a need for more rigorous and frequent mobile app security testing as well as Runtime Application Security Protection to “protect the app from the inside out, greatly reducing the possibility of a cyber-attack. By moving away from having a physical car key to unlock the door, Tesla is going in the same direction as banks and the payment industry. Physical tokens are replaced by ‘mobile tokens’.
Curently, Promon is trying to address this app security issue with Tesla. For now, Tesla ought to consider their approach to mobile app security testing and how to address wider concerns for Internet of Things security. The ease with which the Tesla car was hacked brings to mind the potential danger of self-driving cars and poor cybersecurity.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.