Reverse engineering Tesla Model 3 reveals vulnerabilities in firmware update mechanism
A security researcher claims to have discovered multiple security vulnerabilities in Tesla’s firmware update mechanism after reverse engineering the display and instrument cluster of a Tesla Model 3.
“Last year I spent a few weeks tearing down a Tesla to look at the hardware and firmware updates. First up was getting the CID out and looking at how it worked,” Andrew Tierney, a security researcher at penetration testing firm Pen Test Partners, wrote on Twitter.
Firmware files sent to the engine control units (ECUs) likely don’t have any specific validation… and the validation is carried out by the ECU itself
“Next up was reverse engineering the firmware update process… I didn’t get as much done as I wanted, but only had limited time. Some gems in shell scripts though.”
After analysing the firmware update process in detail, Tierney found that updates to the Tesla firmware are carried out sequentially.
“The same ECUs were updated for the two firmware updates that we observed, and this appeared to be most of those in the vehicle. We could not determine if partial updates are carried out,” Tierney said in a blog post.
Next up was reverse engineering the firmware update process… I didn’t get as much done as I wanted, but only had limited time.
Some gems in shell scripts though.https://t.co/2ExmRHhinj pic.twitter.com/US3ijZikjr
— Cybergibbons! (Project Zero Hounslow) (@cybergibbons) February 12, 2020
However, Tierney added, there may be worrying security shortcomings in the way in which Tesla vehicles validate OTA firmware updates.
The firmware files sent to the engine control units (ECUs) likely don’t have any specific validation, according to Tierney, and the validation is carried out by the ECU itself. Moreover, the analysis of .hex files revealed that there is no signing of the files.
“Digital signatures can be identified using entropy analysis. They are almost always high entropy.”
Some researchers have previously analysed ECU updates and found that only CRC32 checks were carried out. This makes the update process vulnerable to attacks as it could enable attackers to upload malicious firmware onto the gateway and then onto other ECUs. Tierney found that some issues still remain in the update process.
Moreover, Tierney didn’t find any integrity protection or signature for the SD card – a weakness that could allow attackers to modify the contents of an SD card and the firmware and then load it onto an ECU.
The post on Tesla firmware update mechanisms is eye-popping. Far from Tesla having advanced OTA tech, this reads like something a student would cobble together for a project deadline a few weeks away. https://t.co/2gtE2vtV0M
— Ken Tindell (@kentindell) February 12, 2020
However, this is not the first time that a security researcher has found security vulnerabilities in Tesla cars.
Last year, two white hat hackers said that they were able to extract a trove of personal and unencrypted data about vehicle owners from salvaged Tesla Model X, Model S and Model 3 vehicles.
Also last year, a group of security researchers claimed that they were able to hack into the navigation system of a Tesla Model 3 and get the vehicle to turn itself on.
Earlier in 2018, researchers from COSIC group at the Catholic University of Leuven in Belgium revealed that Tesla’s Model S electric car could be vulnerable to thieves due to outdated security on the keyless fobs that were used to secure the vehicle.