FREE-FALL: HACKING TESLA FROM WIRELESS TO CAN BUS

Remote Attack on Tesla Model S

The Keen Security Lab of Tencent successfully implemented a remote attack on the Tesla Model S in both Parking and Driving modes.

The attack utilized a complex chain of vulnerabilities, including a browser exploit and a Wi-Fi trick to gain access to the car’s systems.

Vulnerabilities Used

Two vulnerabilities in QtWebkit were used to achieve arbitrary code execution:

A vulnerability in the JSArray::sort() function that could cause memory corruption.

CVE-2011-3928, a type confusion bug that could be used for leaking memory.

Additionally, the Linux kernel version of CID was found to be vulnerable to CVE-2013-6282, which allowed for arbitrary read/write in kernel context.

Exploit Chain

The exploit chain involved:

Leaking JSCell address of JSArray::sort().

Getting the address of the class structure of Uint32Array using CVE-2011-3928.

FastFree()ing the address to achieve arbitrary address write.

Defining a new Uint32Array to achieve arbitrary code execution.

The final exploit gave a remote shell from Tesla CID and was very stable.

Manual:

Error: The provided content appears to be the installation manual for air suspension components rather

September 30, 2024

Introduction Tesla, Inc. is requesting a Certificate of Conformity from the Environmental Protection Agency (EPA)

May 11, 2024

The manual is for the Tesla Model, which is a electric vehicle. It covers various

November 1, 2024

Introduction This manual is designed to assist operators with the safe and efficient use of

May 8, 2024

Condition On certain Model 3 vehicles, the front stabilizer bar link ball joint studs might

May 13, 2024

Introduction This service bulletin provides instructions for addressing excessive vibrations during hard acceleration in certain

May 7, 2024

Remote Attack on Tesla Model S