Tesla has fallen victim to a cryptojacking attack, the latest high-profile case of a website using visitors’ computer resources to generate cryptocurrency tokens.
The issue, as discovered by the Redlock CSI team and outlined in a Tuesday blog entry, was found on one of Tesla’s Kubernetes pods rather than a public-facing web page. The fact that the attackers also used a small amount of resources and hid the mining pool behind the CloudFlare service also made it hard to spot. Tesla claims that the attack was limited to an engineering tool page only.
“The relative ease of implementing cryptojacking malware coupled with cryptocurrency prices makes it a lucrative venture for hackers,” Troy Mursch, a Las Vegas-based security expert that publicized a Google Chrome cryptojacking attack last year, tells Inverse.
The attack and others like it focus on cryptocurrency mining, where volunteers set their computers to solve difficult math problems and verify global transactions in exchange for tokens. “Cryptojacking” sets other computers to do the work and takes the token reward for the attacker. An attack can cause a computer slowdown or, in extreme cases, trigger a mobile battery failure.
ASIC Bitcoin Miner at ATechRes in 2013.
Tesla has joined a rapidly-growing list of victims from this year alone. The Check Point research team discovered a widespread XMRig miner operation that generated over $3 million of the hard-to-trace Monero cryptocurrency. Last week, an attack hit a number of Australian and British government websites through an exploit in the browser plug-in Browsealoud.
“I’d say we’ll see more cryptojacking incidents this year, as long as someone is making money off them,” Mursch says.
In response to the attack, a Tesla spokesperson tells Inverse:
“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it. The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”