Most likely, the attackers were able to gain access to the legitimate Twitter accounts of
Tesla Motors and Elon Musk by redirecting email bound for the teslamotors.com domain and
resetting the Twitter passwords. Imagine how much other information they could have (and
probably did) capture from redirecting corporate emails bound to Tesla.
While the attack was in progress, according to messages on the company’s message board
(Figure 7-31), Tesla car owners could not use the company’s iOS app. The app (discussed in
Chapter 6) also allows Tesla Model S owners to locate, lock, unlock, and even start their cars
using their iPhones without having to have their key fobs. Given the increasing popularity of
and reliance on smartphones, in the future many car owners are going to be increasingly
dependent on their phones to unlock and start their cars rather than carrying key fobs, so the
potential impact of such a lockout will only grow.
FIGURE 7-31. Tesla owners were unable to use the iOS app while the attack was in progress
The ability of these attackers to gain access to the entire domain of teslamotors.com using a
simple social engineering attack (posing as a company employee) demonstrates how easy it
can be to disrupt the security of major corporations. Instead of vandalizing the website and
Twitter accounts, the attackers could have surreptitiously maintained access for a prolonged
period to steal intellectual property and financial data. The type of overt vandalism they
engaged in is bound to receive an immediate response from the security operations personnel
at the company that is being attacked, causing the loophole to be closed. Attackers who want
to cause severe financial and business damage are unlikely to take such obvious actions,
because they want to maintain access for as long as possible. Vandals, however, thrive on
media attention and feel good about being able to demonstrate loopholes. Their motives may
be petty, but the companies they target pay the price of brand damage nonetheless.
In our discussion of the Tesla Model S in Chapter 6, we saw that these cars use their
always-on 3G cellular connections to receive software updates that can affect physical func-
tionality. Current and potential car owners may consider other car manufacturers after having
read about this attack in the media, questioning Tesla’s ability to protect its infrastructure
ABUSE CASES IN THE CONTEXT OF THREAT AGENTS 225