Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

Presented at Black Hat USA 2018, Aug. 9, 2018, 5 p.m. (60 minutes)

We, Keen Security Lab of Tencent, have successfully implemented two remote attacks on the Tesla Model S/X in year 2016 and 2017. Last year, at Black Hat USA, we presented the details of our first attack chain. At that time, we showed a demonstration video of our second attack chain, but without technical aspects. This year, we are willing to share our full, in-depth details on this research.

In this presentation, we will explain the inner workings of this technology and showcase the new capability that was developed in the Tesla hacking 2017. Multiple 0-days of different in-vehicle components are included in the new attack chain.

We will also present an in-depth analysis of the critical components in the Tesla car, including the Gateway, BCM(Body Control Modules), and the Autopilot ECUs. For instance, we utilized a code-signing bypass vulnerability to compromise the Gateway ECU; we also reversed and then customized the BCM to play the Model X "Holiday Show" Easter Egg for entertainment.

Finally, we will talk about a remote attack we carried out to successfully gain an unauthorized user access to the Autopilot ECU on the Tesla car by exploiting one more fascinating vulnerability. To the best of our knowledge, this presentation will be the first to demonstrate hacking into an Autopilot module.

Presenters:

• Sen Nie - Researcher, KeenLab, Tencent
  Sen Nie is a security researcher at Keen Lab, Tencent. Currently, his research is mainly focused on carhacking, before that he has many years' research experiences on program analysis, like symbolic execution, smart fuzzing and other vulnerability detection technologies.
• Yuefeng Du - Researcher, KeenLab, Tencent
  Yuefeng Du is a security researcher at KeenLab of Tencent. He is passionate about computer security, especially reverse engineering and malware analysis.
• Wenkai Zhang - Researcher, KeenLab, Tencent
  Wenkai Zhang, Security Researcher in Keenlab, Tencent. Wenkai Zhang now lays focus on vehicle CAN network test and ECU firmware analysis in Keen Lab. With plenty of embedded system basic software development experience, he is familiar with ECU hardware design process and vehicle CAN network architecture.
• Ling Liu - Researcher, KeenLab, Tencent
  Ling Liu specializes in reverse engineering, vulnerability discovery, vulnerability research and advanced exploitation techniques. He was formerly a security researcher focused on vulnerability discovery of QEMU and XEN and is a CTF player.

Links:

• https://www.blackhat.com/us-18/briefings/schedule/#over-the-air-how-we-remotely-compromised-the-gateway-bcm-and-autopilot-ecus-of-tesla-cars-10806
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2018/Over-the-Air - How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars.mp4
• https://www.youtube.com/watch?v=1FU_hl-AfKU

Similar Presentations:

• May Contain Hackers (MCH2022) / Project TEMPA - Demystifying Tesla's Bluetooth Passive Entry System
• DEF CON 23 (2015) / How to Hack a Tesla Model S
• Black Hat USA 2017 / Free-Fall: Hacking Tesla from Wireless to CAN Bus