Kunnamon published a drone-assisted Tesla hack at CanSecWest last month.
The team used a fuzzing tool to find two new zero days in the ConnMan package. They were able to bypass the stack protection mechanisms, including ASLR and Stack Canary. Once they chained their vulnerabilities, they were able to achieve remote code execution over WiFi quite successfully, by using a drone to provide a WiFi AP to exploit a Tesla X with those vulnerabilities and open its doors.
Tesla has fixed this in a timely manner, so if you use ConnMan you might want to upgrade to 1.39 or higher.
However, judging from the slew of IP stack vulnerabilities that were published lately (see below), including Microsoft’s last week, there will be more coming. Existing OS controls for protecting against stack overflow, including ASLR and canaries, are a good start, but nowadays, even those might no longer be enough.
The fact that attackers can take their time with advanced tools, unearthing zero days in the process, means that self-protection for software is more important than ever. If all that is needed by two (very smart) guys in a garage to find zero-days that allow a Tesla takeover is a lot of knowledge, a little time, and access to some open source tools and packages, then you’d better add an additional layer of cybersecurity (or two).
We at Karamba would be happy to show you how our CFI solution helps avoid bugs of this type, to save you bounty prizes, eliminate response cycles, and of course outright lower your risk and make life harder for the next hackers trying to hack Tesla. It integrates seamlessly with no need to modify source files.
The fuzzing tool Used: https://countuponsecurity.com/2018/04/24/intro-to-american-fuzzy-lop-fuzzing-with-asan-and-beyond/
The hackers’ report: https://kunnamon.io/tbone/tbone-v1.0-redacted.pdf
BadAlloc/25 – vulnerability in 25 RTOS and Linux OS flavors publisged by Microsoft April 28th 2021. CISA advisory here - https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04
Urgent/11 vulnerabilities in VXWorks, found by Armis researchers June 2019. Since the IPNet stack is used, multiple updates were published to this advisory - https://us-cert.cisa.gov/ics/advisories/icsa-19-274-01
Ripple/20 DNS vulnerabilities discovered by JSOF researchers June 2020
Amnesia:33 – 33 vulnerabilities in 4 different stacks was published by Forescout researchers Dec 2020 - https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01
Treck Stack – Discovered by Intel researchers, advisory by CISA https://us-cert.cisa.gov/ics/advisories/icsa-20-353-01
For a demo of XGuard capabilities, press below.