Tesla X Remotely PWNed by Fuzzed 0-days Bypassing Stack Protections

Assaf Harel, Chief Scientist | May 5, 2021
vehicle on the road

The team chained zero day vulnerabilities, bypassing stack protection and achieving remote code execution to exploit a Tesla X with those vulnerabilities.

Kunnamon published a Tesla hack at CanSecWest last month.

The team used a fuzzing tool to find two new zero days in the open source ConnMan package used by Tesla in their Infotainment unit. By chaining the zero day vulnerabilities they were able to bypass the stack protection mechanisms, including ASLR and Stack Canary. Once they chained their vulnerabilities, they were able to achieve remote code execution over WiFi, by using a drone to provide a WiFi Access Point for a hardwired SSID to exploit a Tesla X with those vulnerabilities and open its doors.

Tesla has fixed this in a timely manner, so if you use ConnMan you might want to upgrade to version 1.39 or higher.

Judging from the slew of IP stack vulnerabilities that were published lately (see below), including Microsoft’s last week, there will be more coming. The entry point for protecting the OS against memory attacks involving stack overflow used to be activation of ASLR and Stack Canary. Those are still a good start, but they are no longer enough.

The fact that attackers can take their time with advanced tools, unearthing zero days in the process, means that self-protection for software is more important than ever. If all that is needed by two (very smart) guys in a garage to find zero days that allow a Tesla takeover is a lot of knowledge, a little time, and access to some open source tools and packages, any safety-impacted IoT developer out there had better add another layer of cybersecurity.

We at Karamba would be happy to show you how our CFI solution helps avoid bugs of this type, to save you bounty prizes, eliminate response cycles, and of course outright lower your risk and make life harder for the next hackers trying to hack you or Tesla. It integrates seamlessly with no need to modify source files.

For a demo of XGuard capabilities, press here.

Read more

Continue the conversation!

Want to learn more?

Contact Us


24 HaNagar Street
Hod Hasharon
Tel: +972 9 88 66 113



41000 Woodward Ave
Building East, Suite 350
Bloomfield Hills, MI 48304
Tel: +1 833 4KARAMBA



Landstr. 264, Munich
Tel: +49 892 1547 7583