A teenager reported having found a flaw in a limited number of Tesla vehicles [1,2] allowing him the ability to remotely control some vehicle functions, such as unlocking doors and windows, starting Keyless Driving and deactivating their security system. It started with the German-based hacker David Colombo who wrote on Twitter that he was able to fully control over 20 Tesla vehicles in 10 countries. Later in his tweet, Colombo clarified that he was not able to steer these vehicles, however, he could query the exact location of the vehicle and could suddenly disturb the drivers by playing loud music or opening the doors while driving which could potentially lead to serious accidents. Colombo also clarified that it is not a vulnerability in Tesla’s infrastructure, the fault lies with the owners who use a specific third-party application. Therefore, he also tried to contact the owners. At the time of writing, no more information was available regarding which specific application may be responsible for making the vehicle accessible to attackers through the Internet. Colombo only gave as much detail that the issue lay in the third-party app which communicated the car owner’s data through Tesla’s API and exposed the API key of the owner’s vehicle to the Internet [2]. Coincidentally, the next day Tesla deactivated all V2 tokens requiring all third-party apps to use V3 tokens.
This incident clearly shows that security issues, vulnerabilities, design flaws or configuration errors can occur without being the manufacturer’s fault. Similar to personal computers, vehicles have become complex systems providing a platform for third-party software and giving more configuration options to the owners, yet they are also safety-critical systems. Without knowing the details, we still find interesting questions: “Who would be responsible if the vehicle got stolen?” Your insurance? or “What if an attacker caused an accident by suddenly disturbing the driver while being on a busy road or highway?”. Nevertheless, it would certainly hurt the brand’s image.
[1] https://www.vice.com/en/article/akv7z5/how-a-hacker-controlled-dozens-of-teslas-using-a-flaw-in-third-party-app
[2] https://www.bloomberg.com/news/articles/2022-01-12/teen-hacker-claims-to-have-taken-control-of-25-teslas-worldwide
[2] https://www.bloomberg.com/news/articles/2022-01-12/teen-hacker-claims-to-have-taken-control-of-25-teslas-worldwide
Other interesting news about automotive security:
- Open Source revolution, the developer behind the ‘colors’ and ‘faker’ NPM libraries has introduced an infinite loop breaking thousands of projects using it. The developer wanted to call for attention that big corporations are using their work for free and making commercial gain.
This example shows not only the frustration some open source developers feel, but it also highlights that open source software needs to be analysed and tested with every update before the software is used in production. - 2022 is not only a bad year for your mailbox, but also older models of Honda and Acura are victims of an integer overflow bringing their clock back to 2002.
- The first Log4j patch (v2.15.0) was incomplete and fixed with version 2.16.0
Written by Thomas Rosenstatter
