Cryptojacking--cryptocurrency mining via malware, hacking, or other malicious means--has been on the rise as a potentially lucrative “business” for cyber criminals. Tesla is the latest to fall victim to such an attack. Researchers from RedLock, a cloud security company, uncovered a cryptojacking attack against some of Tesla’s cloud systems.
Tesla Systems Not Password Protected
The attackers were able to hack Tesla’s Kubernetes console, which it uses to manage its application containers, in part because there was no password protection enabled for the system. This lapse in Tesla’s security exposed access credentials for the company’s Amazon Web Services (AWS) environment. From there, the attackers gained access to an Amazon S3 bucket that contained sensitive data, such as car telemetry.
Tesla seems to be in good company, because Aviva, a British multinational insurance company, and Gemalto, the world’s largest SIM and smart card chip maker, were also recently infiltrated by cyptojackers because they left their Kubernetes consoles unprotected by passwords. Gemalto, on whose security most of our phones depend, was also hacked by the GCHQ and NSA back in 2010. The company promised to improve its security at the time.
Tesla Systems Cryptojacked
The hackers weren’t content just to steal the sensitive data they found, so they also installed some cryptocurrency mining clients. According to the RedLock team, the attackers employed some sophisticated evasion techniques. One of these techniques was to use an unlisted and semi-public cryptomining pool, which would be able to evade common threat intelligence software.
The attackers also hid the IP address of the mining pool behind free content delivery network (CDN) services that allow them to use different IPs for each account. The mining software was configured to listen on a non-standard port to evade security tools monitoring the standard ports. However, this likely also means that Tesla didn’t block all the ports except the ones it was using, and then scan the remaining open ones.
Lastly, the attackers didn’t try to abuse the available CPU resources of Tesla’s systems, because that would have raised suspicions. The mining clients used relatively low resources to remain hidden.
Tesla Statement
RedLock said that it reported the incident to Tesla immediately, and the company was able to rectify the problem quickly.
In a statement to Tom’s Hardware, Tesla said:
We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.
Tesla is one of a small number of carmakers that even have a bug bounty program, and it tends to take security more seriously than other automotive companies in general. However, the more popular its cars with self-driving, over-the-air upgrade, and remote control capabilities become, the more appealing they will be to malicious attackers.
We’ve also seen from previous reports and interviews with industry experts that carmakers, in general, are still not taking the security of their connected cars and upcoming self-driving cars too seriously. Once these cars are in sufficient numbers on the market and can be accessed remotely through the company’s servers, we may see an increasing number of attackers on the car companies’ cloud systems.