By infecting a Tesla owner's phone with Android malware, a car thief can hack and then steal a Tesla car, security researchers have revealed this week.

Previous attempts to hack Tesla cars attacked the vehicle's on-board software itself. This is how Chinese security researchers from Keen Lab have managed to hack a Tesla Model S last month, allowing an attacker to control a car from 12 miles away.

Security experts from Norwegian security firm Promon have taken a different approach, and instead of trying complicated attacks on the car's firmware, they have chosen to go after Tesla's Android app that many car owners use to interact with their vehicle.

Tesla Android app is the hackers' entry point

By default, when Tesla owners install the Android app, they'll have to enter a username and password, for which the app generates an OAuth token. The app will use this token every time the user re-opens his app, so the user won't have to enter a username and password tens of times per day.

The app doesn't keep this token forever, but deletes it after 90 days, and asks the user for his username and password again.

Promon researchers have discovered that the Tesla app keeps this token in a plaintext file, in the app's "sandbox" folder. An attacker can read this token if he has access to the user's phone.

Android app saves OAuth token in cleartext

Researchers say that it's easy for an attacker to create a malicious Android app, that contains rooting exploits such as Towelroot and Kingroot. These exploits can be used to escalate the malicious app's priviliges and read data or alter other apps.

While the token allows an attacker to perform several actions, he can't start a Tesla car. For this he needs the user's password.

Promon researchers say that if the malware deletes the OAuth token from the user's phone, the app will prompt the user to enter his password again, providing the perfect opportunity to collect the user's password.

Attackers also modify the Tesla app's source code to steal login data

Researchers say that this is easy and can be done by modifying the original Tesla app's code. Since the attacker has already rooted the user's phone, the attacker can alter the Tesla app and send a copy of the victim's username and password to the attacker.

With this data in hand, the attacker can perform a series of actions, such as using the car's keyless driving functionality and start the engine, open doors, or track the car on the road. Other actions are also theoretically possible, but researchers haven't tested all of them.

All these are perfomed just by sending well-crafted HTTP requests to the Tesla servers with the victim's OAuth token, and password, when necessary.

Victims must install a malicious app on their phones first

For all of this to be possible, the main key is that the attacker convinces the victim to install a rogue app on his Android device.

In a video below, the Promon team reveals a simple social engineering trick that fools a user to install a malicious app on his phone by promising the victim a free meal at a local restaurant.

While Tesla is to blame for failing to protect the OAuth token in their app, mobile cariers are also at fault. For the past year, Google has been providing timely security updates for the Android OS, which many carriers have been failing to deliver to their customers.

Promon engineers recommend that the Tesla app provide two-factor authentication, should avoid storing the OAuth token in cleartext, prevent easy access to its source code, and use a custom keyboard layout when entering passwords to fight against mobile keyloggers.