Smart Glasses + Tesla = Car Thief’s Dream?

The paper "From Virtual Touch to Tesla Command: Unlocking Unauthenticated Control Chains From Smart Glasses for Vehicle Takeover" by PhD student Xingli Zhang and professor Xiali (Sharon) Hei, both of our School of Computing and Informatics, and their colleagues Yazhou Tu, Yan Long, Liqun Shan, Mohamed A Elsaadani, Kevin Fu, and Zhiqiang Lin received a Distinguished Paper Award at the recent 45th IEEE Symposium on Security and Privacy. They uncovered a troubling vulnerability involving wearable devices and automation apps. It turns out that smart glasses paired with smartphones could potentially offer unauthorized access to Tesla vehicles.

Professor Xiali (Sharon) Hei noted that less than 1% of more than 1400 submitted papers receive this award. “We are thrilled to receive such an award! This work broke several assumptions of previous attacks and is more practical. It will show a new direction to conduct end-to-end physical-injection attacks on enlarged control chain.” said Dr. Hei.

Xingli Zhang and Xiali (Sharon) Hei with the award.

What’s Going On

The study revealed that adversaries could compromise security-critical Internet of Things (IoT) systems by exploiting smart glasses. For instance, to unlock a Tesla vehicle, an adversary can trigger the voice assistant on a victim's screen-locked phone via electromagnetic interference on the capacitive touch sensor of smart glasses, and subsequently play synthesized voice commands. These compromised functionalities are managed by automation tools like Apple Shortcuts and IFTTT. Many of these functions are critical to security and safety, such as unlocking doors, disabling sentry mode, and remote starting the vehicle for keyless driving. The researchers noted that the adversary needs to be aware of the specific phrases used for Shortcuts or IFTTT actions. Additionally, the attacker must be near the victim's device, while the smart glasses are within Bluetooth range (which can reach more than 70 meters) of the user's paired smartphone. However, the phrases are usually available online. For instance, Tesla Shortcuts can be found online once the user downloads the Tesla app.

“Our research reveals critical vulnerabilities in the integration of wearable devices and automated control systems, particularly through smart glasses, which can be exploited to control security-critical functionalities like Tesla vehicles without user verification. Our key findings highlight the dangers of implicit digital trust within these automated control chains and the insufficient security measures of automation tools like Apple Shortcuts and IFTTT, underscoring the urgent need for more robust and comprehensive security protocols,” said co-author Dr. Zhiqiang Lin, distinguished professor and Director of the Institute for Cybersecurity and Digital Trust at The Ohio State University.

Why It Matters

Trending automation tools such as IFTTT and Apple Shortcuts are increasingly used in smart homes and connected vehicles. Tesla recently adopted official support for Apple Shortcuts in August 2023 and subsequently released official APIs in October 2023, indicating a trend towards automation tools and more interconnected systems. The research demonstrated that it is possible to manipulate Shortcuts and IFTTT-based automated control chains via exploiting the wearable gateway -- smart glasses -- while the paired smartphones remain screen-locked, without requiring authorization, user interaction, or compromising user-specific information like fingerprints or voice. The study also revealed a critical oversight: once modules in automated control chains are installed and configured, they tend to trust previously established modules implicitly, even when these control chains are triggered by adversaries using physical signals independent of the victim user. As wearable technology diversifies and the integration of automation tools, connected cars, and IoT progresses, there is a growing need for user-centered security mechanisms to improve trust in wearable technology and automated control chains while maintaining usability and accessibility.

“Our demo is magic. Without an OBD connector and user’s password or voiceprint, one attacker can fully control the Tesla car within 7 seconds using a portable device!” said co-author Dr. Yazhou Tu, an assistant professor in computer science at Auburn University, as a co-author and School of Computing and Informatics alumnus.

More Information

Follow these links for more information: The paper (PDF); First video demonstration (YOUTUBE); Second video demonstration (YOUTUBE).