Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Web Feed] Security researchers Ralf-Philipp Weinmann of Kunnamon, Inc. and Benedikt Sch...
1 view
Skip to first unread message
Feed Supplier
Apr 29, 2021, 9:23:02 AM4/29/21
to
..motzle of Comsecuris GmbH have found remote zero-click security
Security researchers Ralf-Philipp Weinmann of Kunnamon, Inc. and Benedikt Schmotzle of Comsecuris GmbH have found remote zero-click security vulnerabilities in an open-source software component (ConnMan) used in Tesla automobiles that allowed them to compromise parked cars and control their infotainment systems over WiFi. It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes - in short, pretty much what a driver pressing various buttons on the console can do. This attack does not yield drive control of the car though. Named “TBONE”, these exploits were originally written for the PWN2OWN 2020 contest, which was cancelled due to COVID-19. They later disclosed these vulnerabilities to Tesla, who patched them in update 2020.44 in late October 2020.
The affected components were also widely used in infotainment systems of other car manufacturers as well. Eventually the German CERT was engaged and the wider automotive industry was informed of the vulnerability in January 2021. Patches have been checked into the Git repository and a new version of ConnMan (v1.39) has been released since February 2021. The researchers therefore decided to demonstrate these vulnerabilities to the cybersecurity community at large.
Link 1
TBONE: for public release on 2021-04-28: https://kunnamon.io/tbone
Security researchers Ralf-Philipp Weinmann of Kunnamon, Inc. and Benedikt Schmotzle of Comsecuris GmbH have found remote zero-click security vulnerabilities in an open-source software component (ConnMan) used in Tesla automobiles that allowed them to compromise parked cars and control their infotainment systems over WiFi. It would be possible for an attacker to unlock the doors and trunk, change seat positions, both steering and acceleration modes - in short, pretty much what a driver pressing various buttons on the console can do. This attack does not yield drive control of the car though. Named “TBONE”, these exploits were originally written for the PWN2OWN 2020 contest, which was cancelled due to COVID-19. They later disclosed these vulnerabilities to Tesla, who patched them in update 2020.44 in late October 2020.
The affected components were also widely used in infotainment systems of other car manufacturers as well. Eventually the German CERT was engaged and the wider automotive industry was informed of the vulnerability in January 2021. Patches have been checked into the Git repository and a new version of ConnMan (v1.39) has been released since February 2021. The researchers therefore decided to demonstrate these vulnerabilities to the cybersecurity community at large.
Link 1
TBONE: for public release on 2021-04-28: https://kunnamon.io/tbone
0 new messages