Remote Attack on Tesla Model S
The Keen Security Lab of Tencent successfully implemented a remote attack on the Tesla Model S in both Parking and Driving modes.
The attack utilized a complex chain of vulnerabilities, including a browser exploit and a Wi-Fi trick to gain access to the car’s systems.
Vulnerabilities Used
Two vulnerabilities in QtWebkit were used to achieve arbitrary code execution:
- A vulnerability in the JSArray::sort() function that could cause memory corruption.
- CVE-2011-3928, a type confusion bug that could be used for leaking memory.
Additionally, the Linux kernel version of CID was found to be vulnerable to CVE-2013-6282, which allowed for arbitrary read/write in kernel context.
Exploit Chain
The exploit chain involved:
- Leaking JSCell address of JSArray::sort().
- Getting the address of the class structure of Uint32Array using CVE-2011-3928.
- FastFree()ing the address to achieve arbitrary address write.
- Defining a new Uint32Array to achieve arbitrary code execution.
The final exploit gave a remote shell from Tesla CID and was very stable.
Manual:
Download: FREE-FALL: HACKING TESLA FROM WIRELESS TO CAN BUS
Chat: Powered By VoiceSphere