Cyber attack hits car manufacturer

At the end of May news got released that General Motors was hit by a cyber attack exposing car owners’ personal information. GM ensures in a letter to their customers that information such as the social security number, driving license data, and credit card and bank account numbers were not stolen.

What did the attackers do? The attackers performed a so-called credential stuffing attack. This attack acquires leaked, published, or sold username/password combinations from previous data breaches in the hopes that the same combinations were re-used also as login for another service, in this case GM’s customer login. Once the attackers successfully signed in, they used the customers’ rewards points to get gift certificates.

Which information could they access? The attackers could access the customers’ name, email and physical address, username and phone number of registered family members, saved favorite location information, and search and destination information.

What is GM doing? As a response, GM suspended gift card redemption, notified affected customers and requires them to change their password at the next login.

Two-factor authentication is one of the mitigation techniques to prevent such attacks, however, this feature needs to be provided by the service owner, e.g., in this case GM. Customers can prevent being victim of such attacks by always using different passwords for every service. This can be cumbersome and therefore password safes may be used as support.

The car gone in under 130 seconds

Unlocking vehicles has been the topic of this newsletter more than once. And yet again, someone found a new vulnerability. Martin Herfurt, a member of the Trifinite research group found a vulnerability to unlock a Tesla 3/Y and possibly drive it when an NFC card is used to unlock the vehicle.

Tesla allows to start and drive the car immediately (within 130 seconds) after unlocking it with an NFC card without requiring another form of authentication. Herfurt found that one is not only able to start the vehicle, but the car is also in a state where it accepts new keys without any additional form of authentication and without any indication on the in-car display. This authorization timer attack exploits this fact and deposits a new key using the VCSEC protocol used by Tesla.

Tesla’s phone app doesn’t allow such pairing without being linked to the owner’s Tesla account, however, Herfurt developed his own app called TeslaKee allowing him to talk to the car via Bluetooth Low Energy and to enroll his key within this 130 second window. Finally, one is able to unlock the car with the attacker’s phone and possibly also start and drive the vehicle if no pin for driving is required (PIN2Drive is disabled).

Written by Thomas Rosenstatter