19-year-old security researcher David Colombo found a way to gain remote access to more than 50 Tesla vehicles from around the world. After finding this vulnerability, he tried to warn the owners, but couldn’t find any contact information, so he obtained their email addresses through another security flaw and warned them.
In Colombo’s writeup regarding the matter, he emphasises that is not a vulnerability in Tesla’s infrastructure directly. The security flaw actually stems from a third-party Tesla data-logger called Teslamate. This is a tool that can give you detailed reports about your driving, charging, efficiency, energy consumption, and more. TeslaMate unfortunately stored some Tesla API keys unencrypted, which allowed Colombo to run his own commands on Teslas remotely.
He couldn’t steer the car or drive it, but he could access things like stereo volume, doors, windows, and disabling Sentry Mode. Even though he couldn’t drive the vehicles remotely, he technically could have used the auto-summon function which could make the car hit something. He even mentioned that he could ‘rick-roll‘ Tesla owners by playing Rick Astley on YouTube.
Colombo first noticed this vulnerability in October 2021 and even posted pictures of detailed driving routes taken by the hacked Teslas. Just to test the commands out, he reached out to a compromised Tesla’s owner and asked for permission to remotely honk the horn.
In order to alert the Tesla owners that he hacked, he found another security flaw in Tesla’s digital car key that allowed him to get their email addresses. He could even query the addresses with revoked access.
Since then, he has reached out to both Tesla and TeslaMate and they have now fixed the issues and revoked “thousands of keys”, meaning he cannot gain access to these vehicles or emails anymore.
Colombo said that he’s eligible for a bug bounty for his digital car key vulnerability discovery, but does not know the exact amount yet. Jokingly, he said he hopes it’s enough to cover his coffee bill from working on the discovery the last two weeks.
[ SOURCE, IMAGE SOURCE, 2 ]