A security researcher was able to hack into multiple Tesla cars all around the world!

He said that vulnerabilities in the third-party software allowed him easy access to many Tesla cars.

A security specialist and hacker by the name of David Colombo has tweeted out a series of tweets in which he claims to have gained control of over 20 Tesla cars in over 10 countries all around the world! He said that he was able to open and close doors remotely, and even start the engine and blow the horn!

Colombo put out a series of tweets, and even made a blog post on the same. For the tech-savvy ones among us, there’s a lot of stuff of interest in what he wrote, but to the average Joe it’s a grand mish-mash of letters and numbers which just look cool! He released a timeline of the events and went into detail about how he was able to do the hack; details follow below.

Credits: https://medium.com/@david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028

[toggle title=”The Timeline Of Events” state=”close”]

2021–10–29: First got aware of this issue (found the first affected third-party instance).

2021–10–29: Contacted the owner.

2021–11–01: Got the instance taken down.

2022–01–09: Searched internet-wide for affected third-party instances.

2022–01–10: Found more than 20+ in 12 countries.

2022–01–10: Tried to find owner-identifying information.

2022–01–10: Reported this to two Tesla owners I was able to find.

2022–01–10: Tweeted about it, because I was frustrated that I couldn’t identify more Tesla owners.

2022–01–10: The Tweet exploded.

2022–01–10: Number of found instances grew to 25+ in 13 countries.

2022–01–10: I talked to the renowned cyber security export John Jackson, who recommended I get a CVE-ID assigned for this, so the issue can be handled more efficiently.

2022–01–11: Requested a CVE-ID from MITRE. Providing preliminary information.

2022–01–11: Prepared this detailed writeup to describe the full situation.

2022–01–11: Contacted the Tesla Product Security Team to get the affected owners notified asap.

2022–01–11: Contacted the third-party maintainer to possibly get a patch ready.

2022–01–11: Shared additional information regarding affected owners with the Tesla Product Security Team.

2022–01–11: MITRE granted the CVE-ID request. CVE-2022–23126 pending.

2022–01–11: The Tesla Product Security Team confirmed they are investigating the case.

2022–01–12: The third-party maintainers released version 1.25.1 with a partial fix.

2022–01–12: Tesla revoked thousands of potentially affected API tokens at 6:30 UTC / 7:30 CET.

2022–01–12: Tesla actively forced some affected users to reset their passwords.

2022–01–12: Waiting on further response from the Tesla Product Security Team.

2022–01–12: Worked with the third-party maintainer to explore potential further patches (encrypting the critical access tokens).

2022–01–13: The Telsa Security Team confirmed they revoked all affected API access tokens and all the affected Tesla owners have been notified by email and push notification.

2022–01–13: Some of the previous affected Tesla owners still seem to be affected.

2022–01–18: In contact with Tesla again, waiting on clarification from the Tesla Security Team.

2022–01–19: Tesla revoked another batch of access tokens.

2022–01–19: Discovered and reported an additional vulnerability, this time affecting Teslas API directly.

2022–01–22: Tesla confirmed the additional vulnerability and rolled out a fix into production.

2022–01–24: Public Release of this Writeup. [/toggle]

So, should Tesla owners worry? Not anymore, for Colombo got in touch with Tesla themselves, and Tesla got to sending out remote updates for all Teslas which were affected, and now thankfully the matter can be put to rest…. or can it?

With the discovery of this could result in the discovery of more backdoors which could be used to remotely control vehicles. The app in question which caused all this to be discovered? It’s a third-party app called TeslaMate, which tracks in-depth details about the car, and tracks stats and more as well. The purpose of the app isn’t malicious at all- the source code for it is open-source and is readily available on Github as well. Unfortunately, it had some security breaches such as allowing for anonymous logins, and users not opting to go with a strong password all led to Colombo gaining access to the vehicles.

The problem lay with the fact that each individual car’s API was able to be extracted from the car, which effectively means that the car could be controlled indefinitely by a hacker who had malicious intentions. This might raise doubts about Tesla’s security, but to pin all the blame on Tesla would be wrong. Why do I say so?

There is a simple reason for it- TeslaMate isn’t official software from Tesla, and it can only be activated when the user does so. This means that majority of the blame lies on the users and not on Tesla, though from their end Tesla could takem a few measures to ensure this doesn’t happen in the future- for starters changing the API assigned to each vehicle’s remote access point with the Tesla servers every time a password or similar is changed, for third-party services more often than not won’t be able to provide advanced security at all times. Though the issue has been resolved, Tesla owners must still stay vigilant, and follow the basic rule of not letting software too good to be true onto their precious Teslas!

Source: TechCrunch, David Colombo’s Blog @Medium.com

Show More

Sahil D.

Love sleeping, video games and aviation, but F1 is life! I'm addicted to F1 and it's happenings, and I really love open-wheel motorsport! Feel free to check out any of my articles- I try my best to write without an element of bias, so you as the reader can form your own opinion! :)

Related Articles

Back to top button

Adblock Detected

Please disable adblockers to access CarThrust.