Endpoint Security , Governance & Risk Management , Identity & Access Management
Researcher Says Flaw Allows Remote Access to Teslas
Flaw Doesn't Affect Acceleration, Braking or SteeringA security researcher says he's discovered a software flaw affecting a small number of Teslas, allowing him to unlock doors and windows, start vehicles without keys and disable security systems.
See Also: Core Elements of Modern Workforce Identity Security
David Colombo describes himself as a 19-year-old cybersecurity specialist who is based in Dinkelsbuhl, Germany. Early Tuesday, Colombo tweeted he'd been able to remotely access more than 25 Teslas in 13 countries without the owners' knowledge.
Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.
— David Colombo (@david_colombo_) January 11, 2022
Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.
[2/X]
"It was crazy when I discovered this," Colombo tells ISMG. "I could see the owners going grocery shopping or driving to work, and I knew I would be able to control certain aspects of their vehicles."
Colombo says he was also able to query a vehicle's location, an obvious privacy concern. He says he can turn off Sentry Mode, which uses motion sensors and cameras as part of a security system.
Colombo also says he can also see if a driver is present, manipulate the entertainment system, honk the horn and much more. For example, he could see what name an owner has assigned a Tesla, which in one case Colombo tweeted is "Red Dwarf." But Colombo says he can't use the flaw to control steering, acceleration or braking.
Colombo says he wanted to disclose the issue to the owner of the cars, but he didn't know who owned the vehicles. Colombo says he has since been in contact with Tesla's security team and is working on a write-up describing the vulnerability. The issue he found has also been allocated a CVE by Mitre, which catalogs security vulnerabilities.
John Jackson, a senior offensive security consultant with SpiderLabs and founder of the independent security research group Sakura Samurai, says he's seen Colombo's findings and they're "legit."
"The findings, while not necessarily indicative of a Tesla-specific flaw, present a serious security concern, and there's a chance that some of these owners don't realize that they are exposing their vehicles," Jackson says.
Flaw Not on Tesla's Side
Colombo has not revealed the exact details of the vulnerability, but he tweeted a series of intriguing clues. For one, he tweeted that the vulnerability is not within Tesla's software or infrastructure. Also, he tweeted that only a small number of Tesla owners are affected.
There are a variety of third-party apps for Tesla's vehicles for features such as calculating performance metrics, maps and directions and for remote controls such as unlocking doors, flashing lights and honking the horn.
I am not going to disclose exact details until I was able to notify the owners and they were able to fix it.
— David Colombo (@david_colombo_) January 11, 2022
We don‘t need random people going around messing with cars, because they read on Twitter how to do it.
The finding would appear to pose tangential risks to drivers. Colombo theorized that he could suddenly blast music at the highest volume while someone is driving, which could cause someone to lose control of their vehicle.
Tesla runs a bug bounty program through Bugcrowd, a vulnerability disclosure platform. Tesla allows security researchers to register their own vehicles for security testing, which Tesla will preapprove. The company pays up to $15,000 for a qualifying vulnerability.
Tesla will also accept reports of bugs in third-party libraries or other external projects. According to its product security page, Tesla says it may forward those reports to those developers.
"We will do our best to coordinate and communicate with researchers through this process," Tesla says.