Tesla Model 3 vulnerability: What you need to know about the web browser bug
Introduction
In 2020, Jacob Archuleta, a researcher nicknamed Nullze, discovered an important information security vulnerability on the web browser of the Tesla Model 3 automobile. If a user of the car’s boarding computer visits a specific website, the entire touchscreen becomes unusable.
The vulnerability was quickly reported to Tesla in accordance with its bug bounty program. Tesla pays bug reporters between $100 and $15,000 for each reported cyberthreat. In February 2020, Tesla quickly addressed the reported bug by releasing a software update version 2020.4.10. Users of Tesla vehicles had the opportunity to install the update immediately or delay the installation for later.
Learn Vulnerability Management
The purpose of this article is to examine the vulnerability discovered by Nullze and provide recommendations on how to protect Tesla cars against similar vulnerabilities.
The vulnerability discovered by Nullze
Nullze found a vulnerability which allowed attackers to trigger the initiation of computer processes that overwhelm the boarding computer of the Tesla Model 3 and cause the entire touchscreen to freeze. The vulnerability is particularly dangerous because it turns off the autopilot notifications, the speedometer, the climate controls, the navigation and other important functions on Tesla Model 3. This may confuse the driver of the car and even lead to car crashes. For example, since the speedometer blocks completely after the attack, the driver may unintentionally overspeed and cause a car crash. The CVSS Version 3 of the US National Vulnerability Database assigned a base score of 6.5 to the vulnerability, which indicates that it is of medium severity.
The attack used to freeze Tesla’s boarding computer is a form of a denial-of-service attack (DoS). This type of cyberattack aims to make a computer unavailable by flooding it with a large number of requests in order to overburden its data processing capacities.
Team Fluoroacetate, a group of two researchers who discovered a just-in-time (JIT) browser bug on Tesla Model 3 in 2019, inspired Nullze to identify the attack vector. Team Fluoroacetate exploited the JIT bug in such a way as to display their own message on the infotainment system. As a reward for finding the JIT bug, Tesla gave to the researchers a Tesla Model 3.
Tesla’s approach regarding bugs on the boarding computers of Tesla cars should be applauded. Although no software is 100% bug-free, the company is actively engaged in testing its software and quickly addresses the identified bugs. The Tesla bug bounty program on Bugcrowd includes a legal safe harbor, allowing security researchers to avoid liability for conducting security investigations.
To benefit from the safe harbor, researchers need to meet a number of conditions, including, but not limited to:
- Provide Tesla with information about the vulnerability
- Make a good-faith effort to avoid privacy violations, destruction of data and interruption of Tesla’s services
- Abstain from modifying or accessing data that does not belong to the security researcher
- Make the information about the bug public only after providing Tesla with reasonable time to address the reported bug
Protection against similar cyberattacks
Individuals willing to protect against cyberattacks similar to the attack discovered by Nullze need to install all relevant information security patches as soon as they become available. Many software applications (including Tesla’s boarding software) provide their users with the option to automatically install security patches or to wait with the installation until a later date. The first option is always preferable, as it will ensure that the security vulnerability will be addressed quickly. The computers of people who choose the second option will remain vulnerable until they agree to install the security patch.
To protect against DoS attacks similar to the one outlined above, users of internet browsers are advised to visit only trusted websites. It is highly unlikely that such websites will include malicious software utilizing browser vulnerabilities.
Many vendors of antivirus malware offer tools allowing their users to evaluate the trustability of websites of their choice. For example, Trend Micro’s Site Safety Center assigns a score to websites on the basis of various factors: indications of suspicious activities, website’s age, changes and historical locations, to name a few. Based on those factors, the Center categorizes each of the examined websites in one of the following three categories: Safe, Dangerous and Suspicious.
Concluding remarks
This article has shown that even the software of one of the most innovative companies in the world (Tesla) had security vulnerabilities that could have led to car crashes and other accidents.
Pertaining to the consequences of cyberattacks on automobiles, it is worth reminding the readers about an experiment conducted in 2015 during which two computer security researchers located far away from the experimental car (the Jeep Cherokee) succeeded to turn on its radio and increase the volume to the maximum extent, turn on its air conditioning system and activate the windscreen fluids and the windshield wipers. All of this happened while the automobile was in full motion. The driver of the Jeep could do nothing to reverse any of those actions.
The aforementioned observations clearly show that users of automobile boarding computers need to take serious measures in order to avoid cyber incidents. Such measures need to include the regular installation of suitable patches and avoiding suspicious websites.
Learn Vulnerability Management
Sources
- Tesla, Bugcrowd
- Tesla Awards Researcher $10,000 After Finding XSS Vulnerability, SecurityWeek
- Vulnerability Exposed Tesla Central Touchscreen to DoS Attacks, SecurityWeek
- CVE-2020-10558 Detail, NIST
- Tesla Model 3 Hack – Disable Entire Tesla Model 3 Interface, Safekeep Security
- Site Safety Center, Trend Micro
- Lim, H., “Autonomous Vehicles and the Law: Technology, Algorithms and Ethics,” Edward Elgar Publishing
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
