hacker attack. false information. monitor. CYBER is Motherboard’s podcast and covers the dark side of the internet.
A 19-year-old hacker and security researcher said he was able to control certain functions in dozens of Tesla vehicles around the world thanks to a bug in a third-party app that allowed owners to track their car movements , Remotely unlock doors, open windows, start keyless drive, honk and flash.
David Colombo, the researcher who discovered the issue, asked Motherboard not to reveal all the details about what he found — such as the names of third-party apps — because some of the vulnerabilities he found had not yet been fixed. Colombo allows Motherboard to review his upcoming blog post with details.
“With Teslas now in 13 countries around the world, I can disable Sentinel mode, unlock the doors, start keyless driving, and take them on a road trip,” Colombo told Motherboard in an interview.
Crucially, he said he couldn’t remotely control the car’s most important functions, such as steering, acceleration and braking. But he can still wreak some havoc.
“I think it could also lead to some potentially dangerous situations on the road, if you like to drive on the highway and then randomly, someone starts playing music at max volume or something like that,” he said.
Colombo explained that in addition to controlling some of the car’s functions, he can see a lot of sensitive data, such as the name the owner gave their Tesla, its current location, and the precise route the car entered. In recent days, the speed of the car, more.
Colombo was surprised when he first discovered this data.
“I was able to see where this guy was driving,” Colombo said. “I was like, yeah, sorry, how can I not see that.”
He then said he scanned the internet for more such examples and found more than 125 Teslas in countries including Germany, Belgium, Finland, Denmark, the UK, the US, Canada and China.
Obviously, the biggest risk is that someone could abuse the vulnerability to locate Tesla, get into its location, and unlock it via a vulnerable third-party open-source application. Colombo said he has been working with maintainers of third-party applications to fix the flaws.
Do you research bugs in Tesla or other cars? We would love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely via Signal, tel: +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
Tesla did not respond to requests for comment sent to multiple email addresses, including the company’s investor relations inbox, news inbox and one for reporting security breaches.
Colombo stressed that the problems he found were not Tesla’s fault. The only exposed Teslas are those whose owners use specific third-party apps. Without being too specific, the crux of the problem is that third-party apps communicate with Tesla to pull the owner’s data through the company’s API. The problem is that the app exposes the private API keys of many owners on the internet, and everyone who knows where to look – like Colombo – can find it.
Subscribe to our cybersecurity podcast, The internet. Subscribe Our new Twitch channel.
