Disclaimer: I’m not responsible for what you do with this information. This text is for educational purposes only.
If you’re in tech or just like paying attention to tech news, you probably already know that the Tesla Model S is equipped with a REST api. That’s cool and all, but your prized posession just got a lot easier to hack.
The Tesla REST API only requires an e-mail address and a simple password in the authentication request to allow someone to access all of the cars API functionality.
I’ve found an unofficial documentation of said api on apiary.io, you can view it here.
If you read into the documentation, you will soon realize that it includes functionality such as locking and unlocking the doors, and GPS tracking the vehicle.
The username and password combination that we discussed earlier, is the same combination one would use to login to the Tesla website. Therefore, any conventional way of phishing your victim’s account information is a viable way to hack into the victim’s vehicle.
The Execution
First, you would use something like SiteSucker to grab the Tesla ‘forgot password’ screen in all it’s glory. You could spin up a VPS and throw the fake site on there. This will literally only take you about 20 minutes (if you’re slow).
You’ll have to build a back-end that logs the attempts for your faux password reset form, and then sends them to an e-mail address or saves them to a database. The form should have one current password field, a new password field, and then a confirm new password field. You obviously don’t have to record the new password, just the old one.
The next part is a little difficult, you’ll have to procure a list of victim e-mail addresses (The e-mail address should be the one tied with the victim’s Tesla account, that way it’s believable when you send your fake e-mail). To correlate the hacked passwords with their proper e-mail accounts, you can either require that the user confirm their e-mail address on the password reset form, or you can just create unique links for each e-mail address (something like a querystring that passes the e-mail address into a hidden field on the form).
Building on the last step, it’s time to test your e-mail design skills. The more legitimate this e-mail looks, the better. Design a fake e-mail from Tesla that says something like:
Dear customer name, in a recent security update, we have introduced a new password format that every Tesla customer must adhere to. You are now required to use a capital letter, a number, and a symbol while keeping your password to a minimum of 10 characters. You are recieving this e-mail because your current password does not meet our new criteria. Please use the secure link below to update your password.
Link to your fake password reset form goes here.
Now just send your e-mail out to all of the victim e-mail addresses that you have procured, and wait. No doubt some of them will be wary and realize that it’s a phishing attack, but if your list is long enough someone will most undoubtedly fall for it.
Once you have their username & password, you can use the API to call requests on the vehicle (The GPS request would be handy, so that you can locate it). Even if you don’t wish to use the API, you can literally just log in to the Tesla website and wreak havoc from there, a nicely designed GUI for your exploitation needs.
The aforementioned was purely hypothetical as I haven’t personally tried this method, but it is extremely viable. If you thought that this article was interesting please follow me on twitter.
