Two cybersecurity researchers, Ralf-Philipp Weinmann and Benedikt Schmotzle, have discovered zero-day security flaws in Intel’s ConnMan, which is an open-source software component for embedded devices managing the network connections.

They call their attack TBONE, and it enables attackers to take full control of the infotainment system of a Tesla without any user interaction and perform tasks that a regular user could from the infotainment system. For example, opening doors, changing seat positions, playing music, controlling the air conditioning, and modifying steering and acceleration modes. But the attack does not yield drive control of the car.

The two researchers have demonstrated how they could use a DJI Mavic 2 drone to launch an attack via a Wi-Fi module to connect to the infotainment unit of a parked Tesla car and launch the remote attack aimed at ConnMan and open the doors of the car from a distance of up to 100 meters. According to the two security researchers the exploit worked on Tesla’s S, 3, X and Y models but after that they been reaching out to Tesla, Intel, and Germany’s national CERT for help in informing potentially impacted vendors, the flaws have nowadays been patched. However, the vulnerable ConnMan component is used by many carmakers and a new version (build 1.39) was published in February 2021. It is not clear though, if other manufacturers have taken action in response to the researchers’ findings, but hopefully affected carmaker has included the new release in their software updates.

Further, the researchers claim that the attack is wormable and could be weaponized as TBONE would allow them to load new Wi-Fi firmware in the Tesla car and turn it into an access point. This could so be used to exploit the infotainment systems of other Tesla cars that come into the hacked car’s proximity.

Weinmann and Schmotzle presented their findings at the CanSecWest conference earlier this year, and a video of them presenting their work and hacking a Tesla using a drone can be seen at this link.

Written by Joakim Rosell.