Zero-Click, the exploit used by a drone to hack a Tesla 

Two cybersecurity experts unveiled recently who managed to open the doors of a Tesla remotely, using a drone equipped with a Wi-Fi dongle. The researchers presented their feat at the CanSecWest conference by noting that they did not require any interaction from anyone in the car.

The so-called exploit of "Zero-Click" is implemented without any interaction with the user. Once installed, you can record ambient sounds and phone conversations, take photos, and access user credentials, among other things.

The errors presented by cybersecurity researchers Ralf-Philipp Weinmann, CEO of Kunnamon, and Benedikt Schmotzle, of Comsecuris, are actually the result of an investigation conducted last year. The research was originally carried out as part of the competition Pwn2Own 2020 hack, offering a car and other top prizes for hacking a Tesla.

Having said that, results were communicated directly to Tesla through its rewards program for mistakes after Pwn2Own organizers decided to temporarily remove the automotive category due to the coronavirus pandemic.

The attack, dubbed TBONE, implies the exploitation of two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices. Two vulnerabilities in ConnMan allowed Weinmann and Schmotzle to execute commands on Tesla's infotainment system.

In a blog post, Weinmann and Schmotzle explained that an attacker can exploit these loopholes to take full control of the infotainment system. from Tesla without user interaction. An attacker who exploits the vulnerabilities can perform any task that a normal user can perform from the infotainment system.

This includes opening the doors, changing the seating position, playing music, controlling the air conditioning, and changing the steering and throttle modes.

However, investigators noted that the attack failed to take control of the car. They claimed that the exploit worked against Tesla's S, 3, X, and Y models. However, in their post, they made it clear that they could have done worse by writing code in Tesla's infotainment technology. Weinmann warned that the exploit could have turned into a worm. This is possible by adding a feat that would have allowed them to create an entirely new Wi-Fi firmware on the Tesla, "making it an access point that can be used to operate other nearby Tesla cars."

However, the investigators chose not to stage such an attack.

“Adding an elevation of privilege exploit like CVE-2021-3347 to TBONE would allow us to load new Wi-Fi firmware onto the Tesla car, making it an access point that could be used to operate other Tesla cars that are in close proximity to the victim's car. However, we didn't want to turn this exploit into a computer worm, ”Weinmann said. Tesla fixed the vulnerabilities with an update released in October 2020 and reportedly stopped using ConnMan.

Intel was also informed, as the company was the original developer of ConnMan, but the researchers said the chipmaker felt it was not its responsibility to correct the errors.

Researchers have found that the ConnMan component is widely used in the automotive industry, which could mean that similar attacks can also be launched against other vehicles. Weinmann and Schmotzle eventually turned to Germany's National Computer Emergency Response Team (CERT) to help educate potentially affected providers.

It is not yet known whether other manufacturers have taken action in response. to the researchers' findings. The researchers described their findings at the CanSecWest conference earlier this year. In recent years, cybersecurity researchers from various companies have shown that a Tesla can be hacked, in many cases remotely.

In 2020, McAfee security experts showed feats capable of forcing Tesla's autonomous driving function to increase the car's speed. Bugs were fixed in October last year, which means that hacking should not be possible today.


The content of the article adheres to our principles of editorial ethics. To report an error click here.

Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.