TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker and becoming a Supporting Member. For more info: Support TMC
Start a Discussionhttps://teslamotorsclub.com/tmc/tags/

New Malware Hack via Andriod OS

Discussion in 'Model S: User Interface' started by Austral, Nov 28, 2016.

  1. Maximapolak

    Maximapolak Member

    Joined:
    Nov 13, 2016
    Messages:
    472
    Location:
    North NJ / SouthCentral PA
    If you install the malware yourself it will give them access.

    Like in a home computer, don't install things you have no clue about...or get an iPhone ;)
     
    • Funny x 1
  2. Austral

    Austral Member

    Joined:
    Jul 4, 2016
    Messages:
    233
    Location:
    McLean
    Yup. Common sense, right?
     
  3. ecarfan

    ecarfan Well-Known Member

    Joined:
    Sep 21, 2013
    Messages:
    13,013
    Location:
    San Mateo, CA
    I applaud the guys who made that video because it helps raise awareness of this issue.
    Easy to say, but how is someone supposed to know that an app is malicious? Both Apple and Google have inadvertently allowed malicious apps to be made available through their app stores. The vast majority of smartphone users cannot possibly figure out if an app is malware or not.
     
  4. Max*

    Max* Not Banned

    Joined:
    Apr 8, 2015
    Messages:
    6,307
    Location:
    NoVa
    Didn't I read that this is only for old Android OSs? Like 2+ years of not being supported anymore by Google?

    Not to sound elitist, but I would expect most people who own Tesla's to have smartphones that are no more than 4 years old (2 years of support, + 2 years outdated).
     
  5. ecarfan

    ecarfan Well-Known Member

    Joined:
    Sep 21, 2013
    Messages:
    13,013
    Location:
    San Mateo, CA
    I think there are likely many Tesla owners with smartphones more than 4 years old, but more importantly, all smartphone owners should make an effort to keep their OS updated. I know that can be more difficult with Android since it is up to the cell service provider to make OS updates available to their customers and often they are not very diligent about that. In contrast, Apple is much more proactive about keeping iPhones on the most current iOS for a particular iPhone model.
     
  6. Max*

    Max* Not Banned

    Joined:
    Apr 8, 2015
    Messages:
    6,307
    Location:
    NoVa
    lol, how? (rhetoric question, don't answer that)

    Older phones, with non replaceable batteries, don't hold charge for a full day anymore. Top that off, with the slowed down OS due to all the apps aiming to work better on the newer more powerful phones, yadda yadda yadda, cell phones are one of those consumerism things that targets people to keep buying and buying. Not because they "need" the latest and greatest, but because their old phones turn to crap.


    But I do agree with the rest of your comment.
     
  7. Austral

    Austral Member

    Joined:
    Jul 4, 2016
    Messages:
    233
    Location:
    McLean
    Everything is hack'able--some things more than others. Awareness and mitigation are useful approaches.
     
  8. SG57

    SG57 Vendor

    Joined:
    Jul 24, 2016
    Messages:
    261
    Location:
    Spokane Valley, WA
    I've read the original blog post thoroughly, and I see it as intentionally exaggerated for sensationalism and some of its suggested security improvements are mostly impossible for the app developer.

    When you opt to run 4 year old private-sector technology, regardless of the industry, you accept the security risks that inherently come with widespread use and misuse over the years. You can't prevent social engineering or human error, but you can protect against it with guidelines to follow when conducting yourself online.

    The suggestions:
    • The application should detect that it has been modified.
      This is inherently impossible considering if it can be modified in the first place, then the code that detects if it's modified can be, well, modified! If an app can be modified, then all security measures you take can be circumvented.

    • The authentication token should not be stored in clear text.
      I agree, this is an issue with the official app. Best practice is to store sensitive preferences on-disk encrypted using device ciphers. (shameless plug: my app, Dashboard for Tesla, does just this)

    • The security of the authentication can be improved by requiring two-factor authentication.
      I agree, however see my first point how if an app can be modified in the first place, then all security measures can be circumvented.

    • The app should provide its own keyboard for entering the username and password. Otherwise, malicious third party keyboards can act as keyloggers to obtain the user’s credentials.
      This is a ridiculous suggestion. All apps implementing their own in-house keyboard implementations goes against the customization that draws people to Android in the first-place. If your system is compromised, you're at risk period - see my first point.

    • The app should be protected against reverse engineering.
      An equally ridiculous suggestion. You can't prevent decompilation of your program short of simply not releasing it publicly, but you can take steps to obfuscate your code on compilation such that it's near-useless when decompiled (see ProGuard). I can confirm the official Tesla Android app does NOT do this despite the relative ease of configuring it, but I can't complain cause that made it possible for me to remove the certificate pinning then sniff the APIs used.
     
    • Like x 3

Share This Page