Tesla Hackers Hijacked Amazon Cloud Account to Mine Cryptocurrency

February 20, 2018, 1:59 PM UTC

An unidentified hacker or hackers broke into a Tesla-owned Amazon cloud account and used it to “mine” cryptocurrency, security researchers said. The breach also exposed proprietary data for the electric carmaker.

The researchers, who worked for RedLock, a 3-year-old cybersecurity startup, said they discovered the intrusion last month while trying to determine which organization left credentials for an Amazon Web Services (AWS) account open to the public Internet. The owner of the account turned out to be Tesla, they said.

“We weren’t the first to get to it,” Varun Badhwar, CEO and cofounder of RedLock, told Fortune on a call. “Clearly, someone else had launched instances that were already mining cryptocurrency in this particular Tesla environment.”

The incident is the latest in a string of so-called cryptojacking attacks, which involve thieves hijacking unsuspecting victims’ computers to generate virtual currencies like Bitcoin. The schemes have seen a resurgence in popularity as cryptocurrency prices have soared over the past year.

Earlier this month, websites for the U.S. federal court system and the U.K.’s National Health Service roped their visitors into similar virtual money-minting operations.

RedLock’s researchers said they found Tesla’s credentials on an unsecured IT administrative console that lacked password protection. Specifically, they were on a Kubernetes console, a Google-designed software application that helps techies manage lightweight virtual machines known as containers.

The hackers quietly commandeered the console and ran scripts letting them mine digital coins on Tesla’s dime, the researchers said. The scheme potentially exposed an Amazon “simple storage service” (S3) bucket holding Tesla telemetry, mapping, and vehicle servicing data.

“It didn’t have personally identifiable information, per se,” Badhwar said. He added as a caveat that his team “didn’t try to dig in too much,” instead opting to alert Tesla as soon as it figured out to whom the unsecured data belonged.

The thieves employed cryptocurrency mining software called Stratum, but the researchers said they were uncertain of the type and amount of virtual loot mined. They were also unsure how long the intruders had access.

The hackers hid their tracks using clever tricks, the researchers said. To lay low, they appeared to intentionally reduce the CPU usage demanded by the cryptomining software and to mask their Internet addresses behind services offered by CloudFlare, a popular content delivery service.

Once notified, Tesla “resolved the issue pretty rapidly” in about two business days, Badhwar said.

Tesla awarded the researchers $3,133.70—a reference to “1337,” hacker slang for “leet” or “elite”—for reporting their findings, Badhwar told Fortune. He praised Tesla’s bug bounty program for providing clear guidance to security researchers seeking to report breaches and other security issues to the company. (Tesla’s max payout is $10,000.)

“We maintain a bug bounty program to encourage this type of research,” a Tesla spokesperson wrote in a statement emailed to Fortune, noting that the company began addressing the vulnerability “within hours of learning about it.”

“The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way,” the spokesperson said.

In the fall, RedLock revealed that it found similar cryptojacking incidents at Aviva, the British insurance firm, and Gemalto, the Dutch digital security company.

RedLock said in a report released Monday that it estimates 58% of organizations that use public cloud services, such as AWS, Microsoft Azure, or Google Cloud, have exposed to the public “at least one cloud storage service.” Eight percent have had cryptojacking incidents, according to RedLock.

Uber recently got into hot water with regulators for failing to promptly report a breach that exposed data for 57 million account holders. The hackers reportedly gained access to the data after acquiring keys to the ride-hailing firm’s Amazon cloud accounts, which Uber developers were said to have left open on the code-sharing website Github.

This post was updated to include a statement from Tesla and to correct a typo in the sum of its bounty award.