A vulnerability in a logging software used by Tesla car owners, paired with some poor security practices by the same owners, allowed a cybersecurity researcher to take “full control” of more than 25 vehicles. No malware was necessary, and no antivirus software would be able to detect the issue.
In a blog post, German researcher David Colombo revealed how the vulnerability allowed him to unlock the doors and windows, disable the Sentry mode, honk the horn, and even start keyless driving.
The vulnerability, which has since been patched, was found in the tool called TeslaMate. It’s a free logging software that Tesla owners can install on their endpoints to gain access to data such as energy consumption, energy history, or driving statistics. It’s a self-hosted web dashboard that needs access to Tesla’s API, which is where the problem lies.
Revoking APIs
The dashboard allowed anonymous access, and came with a default password setting which many users did not change. By extracting the Tesla API, through the dashboard, Colombo managed to keep his access to the vehicle, and also gain access to data such as location, recent driving routes, or parking locations.
Luckily enough, the researcher doesn’t believe the vehicle could be moved this way, but being able to flash the car’s light while it drives on the highway is dangerous enough.
Colombo found unprotected cars in the UK, Europe, Canada, China, and the States.
While this is not directly a security omission on Tesla’s end, there are a few things the company could do to keep its customers safe, the researcher claims, including revoking the API when the password is changed, which is industry-standard practice.
After discovering the problem, Colombo managed to get in touch with TeslaMate’s creators and have them issue a patch. Talking to TechCrunch, TeslaMate project maintainer Adrian Kumpf said the patch was built “within hours” of receiving Colombo’s heads-up.
Still, Kumpf stressed that the software is self-hosted and can’t protect against users accidentally exposing their systems to the internet. TeslaMate comes with a warning that the software should be installed “on your home network, as otherwise your Tesla API tokens might be at risk.”
Still, the patch needs to be manually installed.
- You might also want to check out our list of the best firewalls available now
Via: TechCrunch
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba