Tesla Model 3 vulnerability: What you need to know about the web browser bug

Introduction

In 2020, Jacob Archuleta, a researcher nicknamed Nullze, discovered an important information security vulnerability on the web browser of the Tesla Model 3 automobile. If a user of the car’s boarding computer visits a specific website, the entire touchscreen becomes unusable.

The vulnerability was quickly reported to Tesla in accordance with its bug bounty program. Tesla pays bug reporters between $100 and $15,000 for each reported cyberthreat. In February 2020, Tesla quickly addressed the reported bug by releasing a software update version 2020.4.10. Users of Tesla vehicles had the opportunity to install the update immediately or delay the installation for later.

The purpose of this article is to examine the vulnerability discovered by Nullze and provide recommendations on how to protect Tesla cars against similar vulnerabilities.

The vulnerability discovered by Nullze

Nullze found a vulnerability which allowed attackers to trigger the initiation of computer processes that overwhelm the boarding computer of the Tesla Model 3 and cause the entire touchscreen to freeze. The vulnerability is particularly dangerous because it turns off the autopilot notifications, the speedometer, the climate controls, the navigation and other important functions on Tesla Model 3. This may confuse the driver of the car and even lead to car crashes. For example, since the speedometer blocks completely after the attack, the driver may unintentionally overspeed and cause a car crash. The CVSS Version 3 of the US National Vulnerability Database assigned a base score of 6.5 to the vulnerability, which indicates that it is of medium severity.  

The attack used to freeze Tesla’s boarding computer is a form of a denial-of-service attack (DoS). This type of cyberattack aims to make a computer unavailable by flooding it with a large number of requests in order to overburden its data processing capacities.

Team Fluoroacetate, (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Dimov. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/adAqP5ZdnmE/