Flaws in third-party software exposed dozens of Teslas to remote access – TechCrunch

A security researcher said he was able to remotely access dozens of Teslas around the world because security bugs found in an open source logging tool popular with Tesla owners exposed their cars directly to the internet.

News of the vulnerability was first revealed earlier this month in a tweet by David Colombo, a security researcher in Germany, who said he had full remote control of more than 25 Teslas, but was struggling to disclose the issue to affected Tesla owners without making the details public and also alerting malicious hackers.

The bug is now fixed, Colombo confirmed. TechCrunch held this story until the vulnerability could no longer be exploited. Colombo published his findings in a blog post.

Colombo told TechCrunch that the vulnerabilities were found in TeslaMate, a free-to-download logging software used by Tesla owners to connect to their vehicles and access their cars otherwise hidden data their cars energy consumption, location history, driving statistics and other granular data for troubleshooting and diagnosing problems. TeslaMate is a self-hosted web dashboard often running on the home computers of Tesla hobbyists, and relies on access to Teslas API to tap into their cars data, which is tied to the car owners account.

But security flaws in the web dashboard like allowing anonymous access and using default passwords that some users never changed coupled with misconfigurations by some Tesla owners, resulted in at least a hundred TeslaMate dashboards being exposed directly to the internet, including the car owners API key used to remotely control their Teslas.

In a call with TechCrunch, Colombo said the number of impacted Teslas is likely higher.

One of the exposed TeslaMate dashboards showed one Teslas recent travel routes across California. TeslaMate has since fixed its vulnerabilities and Tesla has revoked thousands of API keys. Image Credits: David Colombo (supplied)

Colombo said he discovered that TeslaMate dashboards were unprotected by default after stumbling on an exposed dashboard last year. After scanning the internet for more open dashboards, he found exposed Teslas in the U.K., Europe, Canada, China and across the United States.

But contacting individual Tesla owners with exposed dashboards would be a Herculean task, Colombo explained, and in many cases, its not possible to accurately discern a way to contact affected Tesla customers.

Worse, it was possible to extract the Tesla users API key from the exposed dashboard, allowing a malicious hacker to retain long-term access to Teslas without the drivers knowledge. (An API allows two things to talk to each other over the internet in this case, a Tesla car and the companys servers, the Tesla app or a TeslaMate dashboard.) Access to Teslas API is restricted to Tesla owners through a private API key associated with the owners account.

With access to an exposed API key, Colombo said he could remotely access some features of the car, such as unlocking the doors and windows, honking the horn and starting keyless driving, which he verified with one Tesla owner in Ireland. He could also access the data inside, such as the cars location data, recent driving routes and where its parked. Colombo said he does not believe its possible to use the API access to move the vehicle remotely over the internet.

Colombo said that while the security issues werent in Teslas infrastructure, Tesla could do more to improve its security, such as revoking a customers API key when their password is changed, an industry-standard practice.

After privately reporting the vulnerabilities, TeslaMate pushed a software fix that users have to manually install to prevent access. TeslaMate project maintainer Adrian Kumpf told TechCrunch that the update went out within a few hours of receiving Colombos email. In an email, Kumpf said that because the software is self-hosted, it cant protect against users accidentally exposing their systems to the internet, adding that TeslaMates documentation has long warned users to install the software on your home network, as otherwise your Tesla API tokens might be at risk. Kumpf also said that users who chose the advanced installation option should not be affected.

Colombo told TechCrunch that Tesla revoked thousands of drivers API keys, potentially indicating that the issue may have been more widespread than initially thought. Tesla did not respond to requests for comment prior to publication. (Tesla scrapped its public relations team in 2020.)

Read more:

More:

Flaws in third-party software exposed dozens of Teslas to remote access - TechCrunch

Related Posts

Comments are closed.