While we might not be driving flying cars yet like Marty McFly, the day our cars can drive us to and from work is not too far in the future.
Tesla is one car maker that is getting closer and closer to creating a fully electric, self-driving car, but it has hit some speed bumps along the way, specifically with security issues.
David Colombo, a 19-year-old security specialist from Germany, recently discovered a vulnerability in dozens of Teslas around the world, allowing him to gain remote access to the vehicles. He found he could mess around with all kinds of settings and even view a car's location and where it had traveled.
He shared the entire story of how he gained access and what he could do in a Medium post:
"In short: I was able to run remote commands such as 'disable Sentry Mode', 'unlock the doors', 'open the windows' and even 'start Keyless Driving'.
You see where this is going? Someone with malicious intent could even steal the car.
I, fortunately, did not have any access to the steering, accelerator and brakes and any other driving safety critical feature (although I might have been able to use the summon feature to get the car moving, but I cannot confirm if this would have been possible).
Nonetheless, there should be no way at all that someone could literally walk up to some Teslas they do not own and take them for a drive.
I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night.
I would prefer that not to happen."
Security vulnerability in TeslaMate
Despite his age, Colombo has as much knowledge as anyone when it comes to cybersecurity.
He dropped out of school when he was 15 to start his own security company, Colombo Technology, and has discovered various vulnerabilities in organizations such as Red Bull and the United States Department of Defense.
So when he shared this tweet earlier this month, many took notice:
In his Medium post, Colombo reveals that a vulnerability in TeslaMate allowed him to gain remote access to vehicles.
Michael Isbitski, Technical Evangelist at Salt Security, summarizes how TeslaMate works:
"The incident originated from a vulnerable open-source application, TeslaMate. The app enables Tesla owners to gather and report on data from their vehicles with visualizations. TeslaMate uses Grafana under the hood, which is a common open-source dashboard tool and data visualization engine.
TeslaMate connects to Tesla services via APIs to gather data about a vehicle including driving routes and car location. The API also provides some interactivity with the physical vehicle such as unlocking doors and windows, start keyless driving, and honk the horn. The Tesla API uses API keys as a primary means of authentication, and the TeslaMate application stored these API keys within the Grafana instance insecurely."
This means there was a long list of possible data to query or commands to run. Colombo explains:
"You could run commands that annoy the shit out of the Tesla owner (imagine music blasts at max volume and every time you want to turn it off it just starts again, or imagine every time you unlock your doors they just lock again), you could watch every move the Tesla owner does (it's kinda strange watching people driving to get groceries or knowing exactly where they live and yet there's no way you can report that to them), and you could even steal the Tesla as already mentioned in the introduction of this writeup."
He added that he was able to view maps displaying driving routes of Tesla owners. Here is an example of one Tesla Model Y driving around California:
In total, Colombo says he found more than 25 Teslas in 13 countries with this vulnerability in a matter of hours. This includes Germany, Belgium, Finland, Denmark, the U.K., the U.S., Canada, Italy, Ireland, France, Austria, and Switzerland.
He also noted that his initial scan resulted in over 300 found instances, but was not able to confirm if they were vulnerable because the Tesla Security Team asked him not to access any more cars. Tesla has since "revoked thousands of keys," indicating this could be a much more widespread issue than Colombo initially thought.
Additional vulnerability in Tesla API
Part of Colombo's efforts in discovering this vulnerability involved notifying the affected Tesla owners of the security flaw in their car.
While trying to find a way to contact them, he found another vulnerability that allowed him to "query the email addresses of Tesla owners using tokens that got already revoked by the Tesla Security Team." He found this quite amusing:
"At the beginning of the story I didn't have any way to find owner-identifying information, and now I can query email address even with revoked access. Kind of ironic!
I reported this issue to the Tesla Security Team immediately. They confirmed the vulnerability and rolled out a fix into production shortly after. This one is also eligible for bug bounty from Tesla :D (I hope this pays for all my coffees of the past two weeks.)"
This incident can serve as a good reminder to organizations who rely on API connections. Isbitski discusses:
"Reliance on API keys as a sole means of authentication, use of insecure defaults, and leaving anonymous access enabled all diminish API security. The incident also reiterates that dependencies matter. An organization's security concerns don't begin and end with the APIs it builds or integrates.
Practitioners must also consider how third parties including developers, partners, and suppliers will use the organization's APIs. Digital supply chains can often include ineffective or insecure API integrations with third-party services. This incident is a prime example of that reality, which effectively diminished the security of Tesla vehicles for some owners."
For more technical information on the Tesla vulnerability and a detailed timeline of the events, see David Colombo's post, How I got access to 25+ Teslas around the world. By accident. And curiosity.
