TBONE: for public release on 2021-04-28

Security researchers Ralf-Philipp Weinmann of Kunnamon, Inc. and Benedikt Schmotzle of Comsecuris GmbH have found remote zero-click security vulnerabilities in an open-source software component (ConnMan) used in Tesla automobiles that allowed them to compromise parked cars and control their infotainment systems over WiFi. It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes - in short, pretty much what a driver pressing various buttons on the console can do. This attack does not yield drive control of the car though. Named “TBONE”, these exploits were originally written for the PWN2OWN 2020 contest, which was cancelled due to COVID-19. They later disclosed these vulnerabilities to Tesla, who patched them in update 2020.44 in late October 2020.

The affected components were also widely used in infotainment systems of other car manufacturers as well. Eventually the German CERT was engaged and the wider automotive industry was informed of the vulnerability in January 2021. Patches have been checked into the Git repository and a new version of ConnMan (v1.39) has been released since February 2021. The researchers therefore decided to demonstrate these vulnerabilities to the cybersecurity community at large.

“Looking at the fact TBONE required no user interaction, and ease of delivery of the payload to parked cars, we felt this attack was ‘wormable’ and could have been weaponized”, says Kunnamon CEO Ralf-Philipp Weinmann. “Adding a privilege escalation exploit such as CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware in the Tesla car, turning it into an access point which could be used to exploit other Tesla cars that come into the victim car’s proximity. We did not want to weaponize this exploit into a worm, however.”

It is important to note that Dr. Weinmann and Mr. Schmotzle discovered the vulnerability and created a reliable exploit for it without having access to an actual Tesla car. “We emulated Tesla’s ConnMan entirely in our own emulator - KunnaEmu. KunnaEmu’s emulation is accurate enough to allow for the exploit to be successful as-is on actual Tesla hardware.”, said Dr. Weinmann. “Automotive manufacturers can scale up their software testing and remediation pipelines by orders of magnitude by using KunnaEmu. Our mission at Kunnamon is to bring the power of cloud computing and emulation for testing embedded automotive systems, at scale.”

For enquiries, please reach out to info@kunnamon.io


Redacted TBONE document submitted to Tesla bug bounty program [PDF, 484kBytes]

Slides of talk given at CanSecWest 2021

TBONE: Drone vs. Tesla [Google Slides]

Video recording of CSW 2021 talk