The security team from Promon recently showed that security measures on a mobile app protecting Tesla cars can be broken, providing attackers full control over the car. The Tesla mobile app authenticates using a secret key that is stored locally by the app, and is therefore vulnerable to theft by malware that infects the phone. This is another reminder that solutions that don’t properly protect secret keys are vulnerable, and will soon be a major target of cyber criminals and others.
Strong authentication methods rely on long secret keys and not just on short passwords that humans can remember. As such, they have the potential to provide far higher security than passwords. However, the downside is that a device is needed to store the long secret key and use it. In the past, this meant carrying around special-purpose smartcards or one-time password generation devices. Beyond being a pain for users, these were a huge pain for administrators who had to continually deal with users forgetting or losing their devices.
The fact that almost everyone has a smartphone today means that we no longer need to carry around special purpose hardware in order to get strong authentication. Furthermore, users are far more careful with their smartphone than they ever were with special authentication devices. Finally, by deploying the strong authentication solutions in software, even if a user loses their device, a new authenticator can easily be deployed. In summary, it appears that the world is now ready for strong authentication everywhere! Unfortunately, this is far from being the case.
In order to understand why, one must accept the fact that smartphones are inherently insecure devices. As such, they can be hacked and any long secret keys that reside on the phone can be stolen, enabling the attackers to fully impersonate the user and do anything the user can. As the Tesla attack shown, this is not just a theoretical concern. Rather, the security experts at Promon showed how one can hack into a user’s phone remotely, steal the secret key from the Tesla mobile app, and essentially completely take over the car. Not only were they able to find the car’s location and unlock it, there were even able to enable its keyless driving functionality. Beyond the issue of car theft, this opens up the car to attacks with potentially very serious safety concerns (like remotely controlling the car while it is being driven).
The attack demonstrated by Promon worked by stealing an OAuth token that is used to authenticate. This token is stored on the phone where it can be stolen. The token was stored in the app’s sandbox folder, but this does not provide reasonable protection if the mobile is infected by malware. Some phones have physical secure elements that can be used, but they provide limited and specific functionality, and every phone is different. Thus, it is difficult to build a secure solution that relies on them. Without solving this problem, the deployment of strong authentication utilizing smartphones opens the door to devastating attacks. Dyadic has a pure software, platform-agnostic solution for protecting secret keys on mobile devices which secures the keys at the same levels previously only achieved with hardware. With Dyadic’s solution, secret keys are safe even if the mobile device is compromised.