TeslaMate vulnerability allows dozens of Tesla electric vehicles to be remotely accessed

Earlier this month, German security researcher David Colombo first disclosed a serious concern affecting Tesla’s electric vehicles in a tweet. The car was exposed directly to the internet due to a security flaw in a popular third-party open-source logging tool. If broken in by an attacker, the vulnerability could allow remote unlocking of doors, honking, and even starting the car.

In a blog post on Monday, David Colombo described how he stumbled across the bug and “completely remote-controlled” more than 25 Tesla electric vehicles, following a string of related tweets.

join us on telegram

Thankfully, he’s been working diligently to disclose the issue to affected car owners and hasn’t disclosed details to hackers with ulterior motives. The vulnerability has now been officially fixed and can no longer be exploited publicly.

David Colombo said in an interview that he discovered the remote vulnerability in TeslaMate. As a free logging software, many Tesla owners use it to connect to their in-vehicle systems. This gives you easy access to relevant data hidden by default, including battery consumption, location history, driving stats, and a variety of fine-grained information for troubleshooting and problem diagnosis.

As a “self-hosted” form of a web dashboard, TeslaMate typically runs on a hobbyist’s home computer and relies on Tesla APIs to access in-vehicle data associated with the owner’s account. However, due to a security breach in the web dashboard – such as allowing anonymous access and using some default passwords that users never changed, coupled with a misconfiguration by car owners – the result was at least hundreds of TeslaMate dashboards being directly exposed. on the Internet.

The risk of API exposure also involves keys to remotely control Tesla cars. In addition, Colombo said in a phone interview with foreign media that the number of affected cars may be higher. After stumbled across dashboards exposed on the public web last year, Colombo discovered that TeslaMate doesn’t have protections in place by default.

After a search on the Internet, it can be seen that the affected car owners are located in the UK, the US, Europe, China, Canada and other markets, and even picked up a California travel route that someone has crossed recently. Worse yet, the attacker could extract the user’s API key, so that someone with ulterior motives could maintain long-term stealthy access to the Tesla electric vehicle without the owner’s knowledge.

It is reported that after privately reporting the vulnerability, TeslaMate has pushed a new version of the software, but the user needs to install it manually to completely block the access vulnerability. Fortunately, Tesla has revoked thousands of API keys. In addition, even to actually exploit the vulnerability, it would still require fairly sophisticated and cumbersome operations. And in many cases, it is impossible to get in touch with the car owner exactly.

Leave a Comment