information about in organizing protection in the Tesla network, which made it possible to completely compromise the infrastructure that interacts with consumer cars. In particular, the identified problems made it possible to gain access to the server responsible for maintaining a communication channel with cars and sending commands transmitted through a mobile application.
As a result, the attacker managed to gain root access to the information system of any car through the Tesla infrastructure or remotely transmit control commands to the car. Among other things, the ability to send commands such as starting the engine and unlocking doors to the car was demonstrated. To gain access, all that was required was knowledge of the VIN number of the victim's car.
The vulnerability was identified in early 2017 by security researcher Jason Hughes
(), who immediately informed Tesla about the problems and made public the information he discovered only three and a half years after the incident. It is noted that Tesla in 2017 fixed the problems within hours after receiving notification of the vulnerability, after which it radically strengthened the protection of its infrastructure. For identifying the vulnerability, the researcher was paid a reward of 50 thousand US dollars.
The analysis of problems with the Tesla infrastructure began with the decompilation of the tools offered for downloading from the website . Users of Tesla cars with an account on the website service.teslamotors.com were given the opportunity to download all modules for developers. The modules were encrypted in the simplest way, and the encryption keys were given by the same server.
Having decompiled the resulting modules into Python code, the researcher discovered that the code contained embedded credentials for various Tesla services located on the companyβs internal network, which was accessed via VPN. In particular, in the code we were able to find the user credentials of one of the hosts in the βdev.teslamotors.comβ subdomain located on the internal network.
Until 2019, to connect cars to Tesla services, a VPN based on the OpenVPN package was used (later replaced by a websocket-based implementation) using a key generated for each car. VPN was used to ensure the operation of a mobile application, obtain a list of battery charging stations, and other similar services. The researcher tried to scan the network accessible after connecting his car via VPN and found that the subnet accessible to customers was not adequately isolated from Tesla's internal network. Among other things, a host in the dev.teslamotors.com subdomain was reachable, for which credentials were found.
The compromised server turned out to be a cluster management node and was responsible for delivering applications to other servers. Upon logging into the specified host, we were able to obtain part of the source code for internal Tesla services, including mothership.vn and firmware.vn, which are responsible for transmitting commands to customer cars and delivering firmware. Passwords and logins for accessing the PostgreSQL and MySQL DBMS were also found on the server. Along the way, it turned out that access to most of the components can be obtained without the credentials found in the modules; it turned out that it was enough to send an HTTP request to the Web API from the subnet accessible to clients.
Among other things, a module was found on the server, inside of which there was a file good.dev-test.carkeys.tar with VPN keys used during the development process. The specified keys turned out to be working and allowed us to connect to the internal VPN of the company vpn.dev.teslamotors.com.
The mothership service code was also found on the server, the study of which made it possible to determine connection points to many management services. It was found that most of these management services are available on any car, if connected using the found VPN keys for developers. Through manipulation of the services, it was possible to extract access keys updated daily for any car, as well as copies of the credentials of any client.
The specified information made it possible to determine the IP address of any car with which a connection was established via VPN. Since the vpn.dev.teslamotors.com subnet was not properly separated by the firewall, through simple routing manipulations it was possible to reach the clientβs IP and connect to his car via SSH with root rights, using the clientβs previously obtained credentials.
In addition, the obtained parameters for the VPN connection to the internal network made it possible to send requests to any cars via the Web API mothership.vn.teslamotors.com, which were accepted without additional authentication. For example, during tests it was possible to demonstrate the determination of the current location of the car, unlock the doors and start the engine. The vehicle's VIN number is used as an identifier to select an attack target.
Source: opennet.ru