19-year-old security researcher David Colombo found a way to gain remote access to more than 50 Tesla vehicles from around the world. After finding this vulnerability, he tried to warn the owners, but couldn’t find any contact information, so he obtained their email addresses through another security flaw and warned them.
In Colombo’s writeup regarding the matter, he emphasises that is not a vulnerability in Tesla’s infrastructure directly. The security flaw actually stems from a third-party Tesla data-logger called Teslamate. This is a tool that can give you detailed reports about your driving, charging, efficiency, energy consumption, and more. TeslaMate unfortunately stored some Tesla API keys unencrypted, which allowed Colombo to run his own commands on Teslas remotely.
He couldn’t steer the car or drive it, but he could access things like stereo volume, doors, windows, and disabling Sentry Mode. Even though he couldn’t drive the vehicles remotely, he technically could have used the auto-summon function which could make the car hit something. He even mentioned that he could ‘rick-roll‘ Tesla owners by playing Rick Astley on YouTube.
Colombo first noticed this vulnerability in October 2021 and even posted pictures of detailed driving routes taken by the hacked Teslas. Just to test the commands out, he reached out to a compromised Tesla’s owner and asked for permission to remotely honk the horn.
In order to alert the Tesla owners that he hacked, he found another security flaw in Tesla’s digital car key that allowed him to get their email addresses. He could even query the addresses with revoked access.
Since then, he has reached out to both Tesla and TeslaMate and they have now fixed the issues and revoked “thousands of keys”, meaning he cannot gain access to these vehicles or emails anymore.
Colombo said that he’s eligible for a bug bounty for his digital car key vulnerability discovery, but does not know the exact amount yet. Jokingly, he said he hopes it’s enough to cover his coffee bill from working on the discovery the last two weeks.
[ SOURCE, IMAGE SOURCE, 2 ]
Edaran Tan Chong Motor (ETCM) has announced that the Nissan Kicks e-Power is now open…
TikTok in partnership with Communications and Multimedia Content Forum of Malaysia (CMCF) have recently organised…
Tesla owners in Malaysia have reported that their vehicles can now perform the Autopark feature.…
After unveiling its latest smartphones, the Asus ROG Phone 9 series, to the world, Asus…
WhatsApp has introduced a new Voice Message Transcripts feature which allows users to easily convert…
This post is brought to you by Maybank. Unlock more than just transactions with MAE’s…
This website uses cookies.