FREE-FALL: HACKING TESLA FROM WIRELESS TO CAN BUS

Remote Attack on Tesla Model S

The Keen Security Lab of Tencent successfully implemented a remote attack on the Tesla Model S in both Parking and Driving modes.

The attack utilized a complex chain of vulnerabilities, including a browser exploit and a Wi-Fi trick to gain access to the car’s systems.

Vulnerabilities Used

Two vulnerabilities in QtWebkit were used to achieve arbitrary code execution:

A vulnerability in the JSArray::sort() function that could cause memory corruption.

CVE-2011-3928, a type confusion bug that could be used for leaking memory.

Additionally, the Linux kernel version of CID was found to be vulnerable to CVE-2013-6282, which allowed for arbitrary read/write in kernel context.

Exploit Chain

The exploit chain involved:

Leaking JSCell address of JSArray::sort().

Getting the address of the class structure of Uint32Array using CVE-2011-3928.

FastFree()ing the address to achieve arbitrary address write.

Defining a new Uint32Array to achieve arbitrary code execution.

The final exploit gave a remote shell from Tesla CID and was very stable.

Manual:

Important Notes Care after installation: The vehicle owner is responsible for the condition of the

May 8, 2024

Introduction This manual provides information about the Model Y, including safety information, product specifications, and

July 8, 2024

Introduction This manual provides information specific to your vehicle, including features, vehicle configuration, market region,

July 31, 2024

About Tesla Motors, Inc. Tesla Motors, Inc. designs, develops, manufactures, and sells high-performance fully electric

July 31, 2024

Exterior Overview The exterior of your Tesla Model 3 features several key components, including exterior

May 9, 2024

Tesla Model S Suspension Overview The Tesla Model S features an independent multi-link suspension setup,

May 30, 2024

Remote Attack on Tesla Model S