CVE-2020-10558 | Tesla Model 3 Vulnerability – Disable Autopilot Notifications, Speedometer, Web Browser, Climate Controls, Turn Signals, Nav, etc.

CVE-2020-10558 | Tesla Model 3 Vulnerability – Disable Autopilot Notifications, Speedometer, Web Browser, Climate Controls, Turn Signals, Nav, etc.

*Edited: 03-24-2020

CVE-2020-10558 | Tesla Model 3, Tesla Vulnerability, Tesla Hack


Investigation:

I was able to find a Tesla Vulnerability (DoS) after investigating the Tesla Model 3’s web interface. This was after being inspired from the amazing team, Fluoroacetate after they discovered a JIT bug in the browser.

After some extensive trial and error, I found a bug in the web browser.

Thanks to some code I was able to find on github, (thanks to CrashSafari), I was able to host a malicious web page with the code.


This code was reported back in 2016 as a problem with Chromium, as this abuses the pushState() function inside the browser.

From “tyoshino@chromium.org”, he states the following:

“Summary: Browser crashes when window.history is spammed by bunch of pushState() calls (was: Browser crashes when window.history is spammed by bunch of pushState() calls with a big string as the url argument)

 

A single pushState() call with a big string is fine (moved pushState() call out of the for-loop).

100000 pushState() calls with url=”” –> CPU busy. unresponsive”


 

In the example with the Tesla Model 3, this abuse of the function utilizes too much CPU processing power which in turn causes the whole interface to freeze. This means that the browser process is sharing some essential background services to the whole interface of the screen, which will cause the entire screen to crash.

 


Important Note: I hate video editing, but after some feedback have edited the videos together, so the Tesla Model 3 Vulnerability video has more of the highlights of how this bug crashes the Tesla Model 3 interface.

 

 



Summary:

The driving interface of Tesla Model 3 vehicles in any release before 2020.4.10 allows Denial of Service to occur due to improper process separation, which allows attackers to disable the speedometer, web browser, climate controls, turn signals, navigation, autopilot notifications, and blinker notifications along with other miscellaneous functions from the main screen.


Attack Vector:

To exploit the vulnerability, a user has to go to a specially crafted web page. This web page will crash the chromium-based browser interface and inherently crash the entire Tesla Model 3 interface.

If you want to test it out on your tesla before you update, feel free to go here. Please drive responsibly as this does not inhibit your ability to manually take over. You can still drive.

Nullze Script Tesla Crash

Warning: This script above will still crash your browser on the system you are currently using, so be sure to save your place or use a scrap web browser for this page.


Resolution:

After reporting this vulnerability through Bug Crowd, I had the incredible pleasure of working with the Tesla team to get this issue resolved.

This issue is fixed in any release >= 2020.4.10.

Reported to NIST for Evaluation: https://nvd.nist.gov/vuln/detail/CVE-2020-10558