Hackers Infiltrated Tesla to Mine Cryptocurrency

The latest cryptojacking scheme targeted the car manufacturer.

|
Feb 20 2018, 10:12pm

Image: Flickr/Maurizio Pesce

While Elon Musk was busy planning how to launch his Tesla Roadster into the depths of space last month, a hacker was silently using Tesla’s computing power to mine an unknown amount of cryptocurrency.

The unidentified attackers found their way in through cracks in Tesla’s cloud environment, according to a report issued by RedLock security on February 20. The miners were able to gain access via an unprotected Tesla Kubernete console—an open source system that manages applications. Included on this console were the access credentials to Tesla’s Amazon Web Service. Once they obtained access to the console, the attackers were able to run scripts that allowed them to stealthily mine cryptocurrency.

RedLock Vice President Upa Campbell told Motherboard over the phone that crypto mining incidents have increased in tandem with rising cryptocurrency prices.

“As the values of crypto currencies rise we are seeing an epidemic,” Campbell said.

Campbell also said that for some hackers, crypto mining may offer easier profits than more traditional data extraction.

“It used to be lucrative for hackers to steal a companies data but hackers will always take the path of least resistance,” she said. “Cryptojacking is a lot easier because they get into the environment and simply leverage the computer systems to generate money.”

Read More: Cryptocurrency Mining Hack That Compromised Thousands of Sites ‘Could Have Been a Catastrophe’

In an interview with Fortune, RedLock CEO Varun Badhwar said that the attackers used the cryptocurrency mining pool protocol Stratum to launch the attack. The exact type and amount of currency mined from Tesla remains unknown, as does the the total time with which the attackers had access.

In an email to Motherboard a Tesla spokesperson said that they did not think this attack would directly affect Tesla customers, since the accessible data was from test cars and not customers.

“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it,” the spokesman said. “The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

While most of these attacks use common port numbers that are easily identifiable, RedLock CTO Gaurav Kumar said this one did not.

“So any detection mechanism which used a port number will just not work in this case,” Kumar told Motherboard over the phone.

In addition, RedLock notes that the mining software was configured to keep the amount of resources it hijacked low in order to avoid arousing suspicion—a CPU that's working hard is one of the tell-tale signs that someone is using your computer to mine digital coins.

This reveal comes on the heels of a major crypto mining attack last week that hijacked the machines of anyone visiting nearly 4,000 websites, including many government sites, to mine cryptocurrency. These type of attacks, including the one that targeted Tesla, are now commonly referred to as cryptojacking.

In October RedLock found hundreds of similar Kubernetes administration consoles lacking any password protection, making them accessible to hackers. Among the companies that have been targeted by similar attacks are British multinational insurance company Aviva and SIM card manufacturer Gemalto. In both of these instances attackers infiltrated the company's public cloud environments to mine cryptocurrency.

According to the Fortune report, the researchers at RedLock notified Tesla and the company resolved the issue in about two days. Tesla awarded Redlock $3,133.70 for notifying them of the vulnerability as part of its bug bounty program.

According to Campbell the Tesla incident demonstrates how large organizations could be taking more proactive steps to ensure security.

“Organizations need to assume that credentials are going to get compromised and as a result they need to monitor users’ behavior and make sure that they notice any suspicious activity by users,” she said.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.