Intruders 'borrowed' Tesla's public cloud for cryptocurrency mining (updated)
They also had access to private data.
Tesla isn't immune to the plague of cryptocurrency mining hijacks, it seems. Security researchers at RedLock have reported that intruders gained access to Tesla's Kubernetes console (where it deploys and manages containerized apps) without needing a password, exposing the EV brand's login credentials for Amazon Web Services. From there, the attackers both abused Tesla's cloud resources for cryptojacking and accessed private data held in Amazon's S3 service. The culprits were creative, too.
While many of these mining attempts rely on a public mining pool, the perpetrators here installed mining pool software and pointed a script to reach an 'unlisted' destination. The move made it harder to simply block the cryptojacking based on internet addresses. The intruders also masked the address of their mining pool server through CloudFlare, and minimized processor use to avoid giving away its presence.
RedLock said it notified Tesla right away when it discovered the breach, and that the automaker has already patched the flaw. It's not clear at this point what private data was involved, although this doesn't necessarily mean customer data. We've asked Tesla for comment on the incident and will let you know if it can share more.
There doesn't appear to have been much damage at first glance, but the intrusion continues a recent trend of companies and even militaries leaving sensitive info relatively unprotected. RedLock pointed out that there have been "hundreds" of instances like this at other companies. While the solutions in these cases are sometimes straightforward, that they're necessary at all suggests it'll take a while before companies are diligent about preventing slip-ups like this.
Update: Tesla has gotten in touch with the extent of the intrusion. It said it fixed the flaw within "hours," and that the effect appears to be limited to "internally-used engineering test cars." Your personal data should be safe, then. You can read the full statement below.
"We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way."
