Teen Hacker Explains How He Gained Remote Access to Teslas Around the World

[areyentiraidhi]

 

The 19-year-old German security researcher who somehow managed to gain remote access to dozens of Teslas spread out around the world has spilled the beans on how he did it.

In a Medium post, David Colombo provided an in-depth accounting and timeline of his previous experiment where he claimed he could remotely run commands (like adjusting a vehicle’s stereo volume, manipulating doors and windows, and even engaging Tesla’s “Keyless Driving” tool), potentially without drivers ever knowing. Colombo revealed he was able to gain access to the vehicles through a security flaw in an open-source logging tool called TeslaMate. That tool lets Tesla owners monitor more granular data like their vehicle’s energy consumption and location history by utilizing Tesla’s API. However, Colombo said he was able to repurpose a handful of Tesla’s API Keys—which he said were stored unencrypted by TeslaMate—to run his own commands.

“You could run commands that annoy the out of the Tesla owner,” Colombo wrote, “And you could even steal the Tesla.” The write-up was part of Colombo’s official responsible disclosure report submitted to Tesla’s security team.

 

 

 

Colombo says he “found 25+ Tesla’s [sic] from 13 countries within hours.” The countries where the Tesla vehicles were located include “Germany, Belgium, Finland, Denmark, the UK, the US, Canada, Italy, Ireland, France, Austria and Switzerland,” he wrote, adding: “There were about at least an additional 30+ from China, but I really did not want to mess with China’s cyber security laws so I left them completely untouched.”

Related Stories

Teen Security Researcher Claims He Can Remotely Access 25 Teslas Around the Globe

Tesla Removes Promise of '2022' Production on Cybertruck Website

No One's Sure If Star Trek: Picard Will End After Season 3... Yet

Since Tesla later revoked “thousands of keys,” Colombo said, it’s possible the issue was far more widespread than his research uncovered.

 

Though Colombo was able to manipulate a shocking amount of the car’s features, he does not believe he would have been able to remotely move the car or manipulate steering or brakes. Colombo said he reached out to both Tesla and TeslaMate and that fixes have been issued.

 

In his timeline of events, the researcher said he first noticed the vulnerability in a single vehicle back in October 2021 before discovering it in 20 more early this month. Images on the blog post show detailed maps documenting the driving history of several of the affected vehicles with eerie precision. Colombo also included images of text message exchanges between himself and one of the affected Tesla owners. In that case, the owner gave Colombo permission to remotely trigger his car horn.

Colombo also provided some details on an additional flaw, this time in Tesla’s digital car key, that allowed him to obtain drivers’ email addresses. In an earnest effort to alert the previously affected drivers of the third-party flaw affecting their vehicles, Colombo said he stumbled upon a flaw that allowed him to query drivers’ email addresses. Though Colombo was searching specifically for the emails of owners of the affected vehicles, the software flaw could potentially be abused to find emails associated with other Tesla owners.

“At the beginning of the story I didn’t have any way to find owner-identifying information and now I can query email addresses even with revoked access,” Colombo wrote, “Kind of ironic!”

Colombo later clarified his findings in an interview with Bloomberg saying the flaw was found in an API for Tesla’s digital car key. The researcher said he immediately notified Tesla’s security team about the email flaw and confirmed they had quickly rolled out a patch to address the issue.

“There should be no way at all that someone could literally walk up to some Teslas they do not own and take them for a drive,” Colombo wrote.

[Midnightsun]

Colombo er geni gutt. 

[Battu123]

Pilla hacker 

[Balibabu]

Vadiki bounty ivaleda e tesla gadu 

[NeneRajuNeneManthri]

1 hour ago, Balibabu said:

Vadiki bounty ivaleda e tesla gadu 

Endukistadu because he got the API keys from users who linked their account to third party apps. Tesla officially doesn't support any API for third party usage. So it's not Tesla fault. These users setup third party apps and didn't secure them enough. 

[hydusguy]

1 minute ago, NeneRajuNeneManthri said:

Endukistadu because he got the API keys from users who linked their account to third party apps. Tesla officially doesn't support any API for third party usage. So it's not Tesla fault. These users setup third party apps and didn't secure them enough. 

well there should be someway...to stop it.. like mfa

[NeneRajuNeneManthri]

3 minutes ago, hydusguy said:

well there should be someway...to stop it.. like mfa

Tesla does support mfa. When you login to Tesla app, it generates an access token and refresh token. Every API call against Tesla it uses access token. Every month access token expires and the app uses refresh token to get new access token. When you change Tesla password these tokens expire.

These third party apps mimic how Tesla main app works and generate those tokens. I'm just surprised Tesla never stopped this as it takes a hit on their server performance as the apps increase.

As Tesla never intended their API for third party usage, these access tokens allow third party apps to do pretty much what the app can do on the car. Which is everything except remotely driving the car. So anyone who can get that access token can do whatever they want. Deeniki malla eedu hacker ani oka title esukunnadu.

 

Teslamate is an open source data logging tool for Tesla. It just logs your drive details, your charging info, how efficient your car is and a lot more information. I doesn't allow car control. But because the access token is same for read and write it causes this issue. Ideally this app is intended for self hosting. Which is good within your home network without exposing it to Internet. Then no one can access or hack. But people wanted to see their data so they started putting it out on cloud without security and then this happens.