Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
Tesla drivers using the company's Android app to control their cars could be facing serious safety concerns, according to security researchers who demonstrated in a video that anyone with a laptop and Android hacking skills can exploit the app to unlock, start and drive away a stranger's Tesla.
The problem exists in part, the Promon blog post said, because many Android phone manufacturers aren't delivering operating-system security patches needed to prevent cyber attacks. More current versions of Android such as Android 6 Marshmallow or Android 7 Nougat make the attack more difficult, but not impossible.
MORE: Best Android Antivirus and Security Apps
This specific exploit used a malicious app downloaded from the Google Play app store on a non-rooted 2014 Samsung Galaxy A5 running Android 5.0 Lollipop, the most recent version of the OS compatible with that model of phone. These Tesla owners would have to unknowingly download such a malicious app, but that happens frequently enough, even in the official Google Play app store.
Furthermore, this exploit applies only to Tesla drivers who have set up the Android app so that they don't need to enter their login credentials every time they use it. Doing so creates an authentication token that's valid for 90 days, but which the Tesla app does not protect with encryption. Many kinds of Android malware could copy and re-use the Tesla authentication token to gain access to the car.
However, the malware needs to also capture the user's actual username and password to start the car's engine. Again, many kinds of Android malware could do so.
This type of mobile-app vulnerability isn't limited to the Tesla app. The lack of security updates could allow hackers to access other Android apps, Promon says, but the ability to take control of a Tesla owner's car is particularly disturbing and potentially dangerous for more than just a vehicle's owner.
To prevent your Tesla from disappearing from your driveway, disable the feature that lets you go 90 days without logging into the Android app. Update your phone's operating system to Marshmallow or Nougat. (If you can't, but you own a Tesla, then you can afford a new phone.) Install and run Android security software that can catch and block most kinds of Android malware. And be very careful when installing Android apps you're not familiar with.
