Tesla Security Flaw: Remote Access Risk in Third-Party Software

Tesla Security Vulnerability: Remote Access to Vehicles Exposed

A security researcher revealed the ability to remotely access a significant number of Tesla vehicles globally. This access stemmed from security flaws present within an open-source logging tool favored by many Tesla owners, inadvertently exposing their cars to the internet.

Initial Discovery and Disclosure

David Colombo, a German security researcher, initially publicized the vulnerability earlier this month via a social media post. He reported possessing “full remote control” over more than 25 Teslas, but faced challenges in notifying owners without simultaneously alerting potential malicious actors.

Fortunately, the identified bug has since been resolved, as confirmed by Colombo. TechCrunch deliberately delayed publication of this story until the vulnerability was no longer exploitable. Colombo subsequently detailed his findings in a published blog post.

The Role of TeslaMate

Colombo explained to TechCrunch that the vulnerabilities resided within TeslaMate, a freely downloadable software utilized by Tesla owners. This software allows connection to their vehicles and access to detailed data not typically available – including energy consumption, location history, and driving statistics – for diagnostic and troubleshooting purposes.

TeslaMate operates as a self-hosted web dashboard, frequently running on the personal computers of Tesla enthusiasts. It leverages Tesla’s API to access vehicle data, which is intrinsically linked to the owner’s account.

Exposure and Misconfigurations

However, security weaknesses in the web dashboard itself – such as permitting anonymous access and the continued use of default passwords by some users – combined with owner misconfigurations, led to at least one hundred TeslaMate dashboards being directly accessible on the internet. This included exposure of the car owner’s API key, used for remote vehicle control.

Colombo indicated during a conversation with TechCrunch that the actual number of affected Teslas is likely considerably higher.

Geographic Scope of the Vulnerability

Colombo’s initial discovery of an unprotected dashboard last year prompted a broader internet scan. This revealed exposed Teslas in various locations, including the U.K., Europe, Canada, China, and across the United States.

Attempting to directly contact individual Tesla owners with exposed dashboards presented a significant logistical hurdle, and accurately identifying affected customers proved difficult in many instances.

API Key Exploitation

Critically, the exposed dashboards allowed extraction of Tesla users’ API keys. This enabled a malicious actor to maintain long-term access to vehicles without the owner’s awareness. An API facilitates communication between systems – in this case, a Tesla vehicle and Tesla’s servers, the Tesla app, or a TeslaMate dashboard.

Access to Tesla’s API is restricted to authorized owners through a private key associated with their account.

Demonstrated Capabilities

With access to an exposed API key, Colombo demonstrated the ability to remotely control certain vehicle functions. He successfully unlocked doors and windows, activated the horn, and initiated keyless driving with the consent of a Tesla owner in Ireland.

He also gained access to vehicle data, including location information, recent driving routes, and parking locations. Colombo stated he believes remote vehicle movement via the API is not possible.

Tesla’s Potential Improvements

While the security issues were not inherent to Tesla’s infrastructure, Colombo suggested improvements. He proposed that Tesla revoke a customer’s API key upon password changes, a common industry security practice.

Remediation and Response

Following a private report of the vulnerabilities, TeslaMate released a software fix requiring manual installation by users to prevent unauthorized access. Adrian Kumpf, the TeslaMate project maintainer, informed TechCrunch that the update was deployed within hours of receiving Colombo’s report.

Kumpf emphasized that, due to the self-hosted nature of the software, TeslaMate cannot prevent users from inadvertently exposing their systems to the internet. He noted that the software’s documentation consistently advises users to install it on their home network to mitigate the risk of API token compromise. Users utilizing the advanced installation option were reportedly unaffected.

Colombo reported that Tesla revoked thousands of drivers’ API keys, potentially indicating a wider scope of the issue than initially estimated. Tesla did not provide a comment prior to publication, having disbanded its public relations team in 2020.

Further Reading

Read more:

• Peloton’s leaky API let anyone grab riders’ private account data
• Gettr, the latest pro-Trump social network, is already a mess
• Echelon exposed riders’ account data, thanks to a leaky API
• Shopify says two support staff stole customer data from sellers