Remote Attack on Tesla Model S

The Keen Security Lab of Tencent successfully implemented a remote attack on the Tesla Model S in both Parking and Driving modes.

The attack utilized a complex chain of vulnerabilities, including a browser exploit and a Wi-Fi trick to gain access to the car’s systems.

Vulnerabilities Used

Two vulnerabilities in QtWebkit were used to achieve arbitrary code execution:

  • A vulnerability in the JSArray::sort() function that could cause memory corruption.
  • CVE-2011-3928, a type confusion bug that could be used for leaking memory.

Additionally, the Linux kernel version of CID was found to be vulnerable to CVE-2013-6282, which allowed for arbitrary read/write in kernel context.

Exploit Chain

The exploit chain involved:

  1. Leaking JSCell address of JSArray::sort().
  2. Getting the address of the class structure of Uint32Array using CVE-2011-3928.
  3. FastFree()ing the address to achieve arbitrary address write.
  4. Defining a new Uint32Array to achieve arbitrary code execution.

The final exploit gave a remote shell from Tesla CID and was very stable.

Manual:

Download: FREE-FALL: HACKING TESLA FROM WIRELESS TO CAN BUS

Chat: Powered By VoiceSphere

Top Categories
Recent Manuals

Subscribe

Subscribe for Weekly email digest
Related Posts
No Thoughts on FREE-FALL: HACKING TESLA FROM WIRELESS TO CAN BUS