Tesla (S&X) - (Interface Pair) Code Execution Vulnerability

Type vulnerlab
Reporter Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Modified 2016-10-04T00:00:00


                                            Document Title:
Tesla (S&X) - (Interface Pair) Code Execution Vulnerability

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Vulnerability Class:
Filter or Protection Mechanism Bypass

Current Estimated Price:
10.000€ - 25.000€

Product & Service Introduction:
Tesla Motors, Inc. is an American automotive and energy storage company that designs, manufactures, 
and sells electric cars, electric vihicles powertrain components and battery products. Tesla Motors 
is a public company that trades on the NASDAQ stock exchange under the symbol TSLA. In the first 
quarter of 2013, Tesla posted profits for the first time in its history.

(Copy of the Vendor Homepage: http://www.teslamotors.com/ )

Abstract Advisory Information:
The Evolution Security GmbH and the Vulnerability Laboratory Core Research Team discovered during a private customer Penetration 
Test a high severity code execution vulnerability in the official Tesla (X&S) automobile hardware components.

Vulnerability Disclosure Timeline:
2016-10-01: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):
Product: Tesla Car - (Interface) S & X

Exploitation Technique:

Severity Level:

Authentication Type:
Restricted authentication (user/moderator) - User privileges

User Interaction:
No User Interaction

Disclosure Type:
Independent Security Research

Technical Details & Description:
A code execution vulnerability in connection with a command injection issue has been discovered in the official Tesla (Model S & X) automobiles. 
The vulnerability allows to inject application-side code via command inject and tricks into a real script code execution in the embed car interface 
that is connected to the hardware components.

The vulnerability is located in the pair function of the cars when processing to use the device name. The device name becomes after a pair available 
to the full interface of the Tesla- or Volkswagen electro -automobile. Thus vector we used to attack the core system of the car. The ios devices allows 
to change the device name to any value including special chars and other chars. Our team injected a payload to the device name. After that we installed 
a web-server app to the ios device (iphone 5s) and prepared locally some manipulated interface files in js for the final refresh (execution). 

After that interaction we paired the mobile to the automobiles and activated the scripts in the interface by opening via push the configuration settings. 
In the Volkswagen electro cars the payload executes directly after sync, in the Tesla car you need to watch the sync information to finally execute the code. 
After the execution of the code occurs in the VW display or Tesla car interface the issue needs to be refreshed. When synchronized, the mobile comes to the 
local car wifi network, thus allows us to surf locally to the web-server by click on the payload in the car interface.

At the end we where able to manipulate the display information of the Volkswagen automobile and the interface of Tesla. By interaction through a reverse 
communication it is also possible to avoid hardware specific function to finally compromise the car by interaction via hardware. In case of the both different 
car types the issue becomes available because of the same way of implementation in the car infotainment system of volkswagen and the embed interface of tesla. 
Both parties include the device name with no secure implementation routine to filter the input, thus results in the execution finally. Regular script code tags 
and frame are already filtered.

The security risk of the code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.6. 
Exploitation of the application-side command inject vulnerability with embed code execution results in the compromise of the car interface 
infotainment-system and continuously manipulation of connected devices, the firmware or hardware components.

Vulnerable Module(s):
[+] Pair - (Wifi & Bluetooth)

Affected Module(s):
[+] Interface - Tesla

Affected Automobil(s):
[+] Tesla Car - Model X & Model S

Proof of Concept (PoC):
The application-side to hardware specific validation vulnerability in the tesla car and vw car interface can be exploited by remote attackers 
with embed device access privileges and without user interaction. For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.

[+] iPhone 5s or iPad 2 (iOS 7.x or 8.x)
[+] Bluetooth or Wifi (Adapter or Hardware Implementation connected to the mobile Device)
[+] Wifi app for the mobile that uses a local web-server in the local network environment
[+] Tesla Car - Model X & Model S with the basic interfaces (2015)

Optional Requirement(s):
[+] Network Sniffer to set between the local and mobile connection (for local network and mobile
device on pair interaction)

Manual steps to reproduce the vulnerability ...
1. Setup an iOS device with for example iphone or an ipad
2. Install a web-server for wifi or bluetooth that becomes available in the local network environment
3. Activate bluetooth or wifi (better wifi because of the web-server)
4. Now go to info > settings > device name of iOS (iphone or ipad) and inject a script code payload that is able to bypass the webkit validation
PoC Payload: "benjamin1&{alert('CarInterfaceUpdate')};%20>"<<a onmouseover=http://localhost:8080/index>refresh-tesla-interface&
%20<img src="http://localhost:8080/interface.js"></a>
5. Save the input of the device name to change the value finally
6. Now start the pair function of the Tesla interface and sync the mobile
Note: Next to the sync via pair the device name of the mobile becomes available in the interface of
Tesla model S electrocar interface webkit display
7. Start the interface and watch the payload in the sync config information
8. The payload executes in the interface on preview
9. Now the attacker interacts by starting the local web-server were with the files that are stored for simulation of the exploitation
10. After starting the web-server successful in the car WIFI network the attacker can click the payload to execute via a page refresh with the new web-server context
Note: Refreshing by a push to the interface with the link payload as interaction to trick the exploit code to execute
11. The attacker is now able to change the interface output and can interact to execute codes against the hardware specific points
12. Successful reproduce of the code execution vulnerability that is in connection with the device name value encoding!

Note: We was finally able to take-over the tesla car interface by interaction with a compromised device, that uses a web-server next to the main pair interaction. 
We changed the images and hardware information display as well as the information like speed and co. Even if the Tesla cars are different 
the type of implementation with the pair and a device is the same. Maybe other entertainment system or operating systems are affected as well. After recording the 
information with a network sniffer we where able to extract the package information on sync to provoke an execution without the device by a man in the middle attack.

Solution - Fix & Patch:
The security vulnerability in the interface of the tesla cars automobile can be patched by a secure parse and encode the 
device cell name value when processing to pair (sync). Restrict the output that is available to be displayed and filter for malicious context 
that will be visible to the interface or display to prevent an execution. Include an exception to prevent the active exploitation after the 
pair interaction by an user.

Security Risk:
The security risk of the command inject vulnerability in connection with the embed code execution issue is estimated as high. (CVSS 8.3)

Credits & Authors:
Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™