Abusing the Internet of Things

(Rick Simeone) #1

Social Engineering Tesla Employees and the Quest for Location Privacy


For most people who forget their car keys or lock themselves out of their vehicles, it’s tough
luck. Tesla owners, however, can unlock their cars using the iOS app in such cases. They can
also call customer services and request that their cars be unlocked when they are unable to
use the app (see Figure 6-8).


FIGURE 6-8. Tesla customer services can unlock cars remotely


The ability of Tesla employees to unlock cars remotely is certainly helpful to customers,
but it is not clear how a customer service rep is able to authenticate legitimate car owners.
Tesla has not published actual guidelines on exactly what information is required for verifica-
tion. This could create a situation in which individuals may attempt to social engineer Tesla
customer support workers to gain access to a car.
It is also unclear what background checks Tesla employees are subject to prior to being
given the power to unlock any Tesla car. Uber, the app-based cab company, recently faced
scrutiny for violation of its customers’ privacy by company employees, who had access to all
customers’ data (internally known as God View), including where they were picked up from
and where they were dropped off. In fact, Uber employees have actually bragged on their blog
about being able to identify individuals who travel to locations late at night to engage in
“frisky” behavior (this content has been taken down, but an archived version is available).
Since the Model S is always connected via 3G, Tesla can easily collect information on
where every car is at any given time. Yet, Tesla has not communicated what steps it takes to


CHAPTER 6: CONNECTED CAR SECURITY ANALYSIS—FROM GAS TO FULLY

(^178) ELECTRIC

Free download pdf