A 19-year-old hacker and IT security researcher from Germany has found something that highlights one of the risks of IoT tech. He discovered a flaw in open source software available for Tesla electric vehicles. This flaw allowed him, for more than 25 of the vehicles, to control Teslas remotely.
A Vulnerability in Third-Party Software
Before you park your Tesla for good, the teen explained the flaw isn’t within Tesla’s infrastructure. It also doesn’t allow someone to take over the car’s driving.
The teen, David Colombo, reported the issue to Tesla’s security team. Those engineers are investigating the issue, but it’s basically a misconfiguration of the open-source project called Teslamate.
The developer behind Teslamate describes it as a “self-hosted data logger for your Tesla”. It allows a Tesla owner to collect drive and charging reports, driving efficiency data, update history, visited addresses, and more.
When properly configured, Teslamate offers great metrics for owners of the electric vehicle. However, misconfiguring the software opened up authentication to many of the car’s controls for Colombo.
How the Hacker Could Control Teslas Remotely
Colombo confirmed he couldn’t take over steering, throttle, or brakes from the car’s owner. However, he could control Teslas remotely as far as disabling the remote camera system, unlocking the doors, opening the windows, and even determining the car’s exact location.
Potentially, Colombo says, he could unlock the doors and start driving a Tesla, if it wasn’t already being operated. He hasn’t tried that, and says he “can not intervene with someone driving (other than starting music at max volume or flashing lights”.
Since these important facts seem to drown between other comments, I‘ll add them here again 👇
This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.
[1/X]
— David Colombo (@david_colombo_) January 11, 2022
Colombo reported his discovery on Twitter, which promptly exploded with criticism both for and against Tesla. Despite numerous requests for more information, such as screenshots, of the exploit, the security researcher hasn’t provided those details.
He wants to see it fixed, first, which is a very responsible attitude to hold. Teslamate may have already released a patch that prevents the misconfiguration that made all this possible.