A vulnerability in a logging software used by Tesla car owners, paired with some poor security practices by the same owners, allowed a cybersecurity researcher to take “full control” of more than 25 vehicles. No malware was necessary, and no antivirus software would be able to detect the issue.
In a blog post, German researcher David Colombo revealed how the vulnerability allowed him to unlock the doors and windows, disable the Sentry mode, honk the horn, and even start keyless driving.
The vulnerability, which has since been patched, was found in the tool called TeslaMate. It’s a free logging software that Tesla owners can install on their endpoints to gain access to data such as energy consumption, energy history, or driving statistics. It’s a self-hosted web dashboard that needs access to Tesla’s API, which is where the problem lies.
The dashboard allowed anonymous access, and came with a default password setting which many users did not change. By extracting the Tesla API, through the dashboard, Colombo managed to keep his access to the vehicle, and also gain access to data such as location, recent driving routes, or parking locations.
Luckily enough, the researcher doesn’t believe the vehicle could be moved this way, but being able to flash the car’s light while it drives on the highway is dangerous enough.
Colombo found unprotected cars in the UK, Europe, Canada, China, and the States.
While this is not directly a security omission on Tesla’s end, there are a few things the company could do to keep its customers safe, the researcher claims, including revoking the API when the password is changed, which is industry-standard practice.
After discovering the problem, Colombo managed to get in touch with TeslaMate’s creators and have them issue a patch. Talking to TechCrunch, TeslaMate project maintainer Adrian Kumpf said the patch was built “within hours” of receiving Colombo’s heads-up.
Still, Kumpf stressed that the software is self-hosted and can’t protect against users accidentally exposing their systems to the internet. TeslaMate comes with a warning that the software should be installed “on your home network, as otherwise your Tesla API tokens might be at risk.”
Still, the patch needs to be manually installed.
- You might also want to check out our list of the best firewalls available now