Published on July 16th, 2019 📆 | 3005 Views ⚑
0Cracked windshield helps hacker find bug in Tesla model 3
https://www.ispeech.org/text.to.speech
Hackers typically crack software, but web application security researcher Sam Curry quite literally cracked his Tesla Model 3 and discovered a vulnerability that earned him a hefty reward from the car makerās bug bounty program.
After a rock bounced up and damaged the windshield of Curryās very own Model 3, the seemingly unlucky happenstance actually led him to a vulnerability that he says could have allowed attackers to pull and modify live information about driversā vehicles, and possibly view customer information as well.
The find earned him $10,000 from Teslaās bug bounty program, Curry reported in a July 14 post on his personal blog.
Curry (@samwcyo), who hails from Elkhorn, Neb., said he purchased the vehicle earlier this year, and in April 2019 attempted to find vulnerabilities in the āName Your Vehicleā functionality as well as the web browser. At one point, while inputting the name of his car, he entered a particular line of code designed to hunt cross-site scripting (XSS) vulnerabilities.
Curryās efforts didnāt immediately yield any significant finds. But then in June 2019, his car suffered that cracked windshield. Things got interesting shortly after the researcher used Teslaās in-app support feature to set up an appointment with a Tesla support agent.
āOne of the agents responding to my cracked windshield fired my XSS hunter payload from within the context of the āgarage.vn.teslamotors.comā domain,ā Curry wrote in his post. This domain corresponded to a dashboard page that displays the vehicleās vital statistics, and is accessible via an incremental vehicle ID number in the URL. Curry noted that the dashboard appears to be an internal application that allows Tesla live support agents to send updates to cars or modify their configurations.
āThere was current information about my car shown in the attached XSS hunter screenshot like the speed, temperature, version number, tire pressure, whether it was locked, alerts, and many more little tidbits of information,ā Curry explained. āAdditionally, there were tabs about firmware, CAN viewers, geofence locations, configurations, and internal code-names that sounded interestingā¦ā
Further investigation ultimately uncovered a vulnerability: āI didnāt attempt this, but it is likely that by incrementing the [vehicle ID number] sent to the vitals endpoint, an attacker could pull and modify information about other cars,ā Curry wrote. āIf I were an attacker attempting to compromise this Iād probably have to submit a few support requests but Iād eventually be able to learn enough about their environment via viewing the DOM and JavaScript to forge a request to do exactly what Iād want to do.ā
Curry said Tesla issued a hot fix less than 12 hours after he reported the issue to the company.
Gloss