Skip to main content

Software bug could have let hackers remotely access your Tesla

tesla logo
(Image credit: Shutterstock)

Connected cars are more popular than ever, especially since they offer a great many high-tech features to make the driving experience more enjoyable. However, more connectivity means more room for possible exploitation, as this story shows.

Security researcher David Colombo discovered a vulnerability that could allow someone to remotely access a Tesla. In fact, Colombo himself is said to have had access to over 25 different Tesla cars in 13 countries — all without alerting the respective owners. (Colombo said he had no way to reach them.)

The good news is that this vulnerability is not an issue with Tesla's infrastructure. In fact, Colombo told TechCrunch and explained in a blog post that the issues lay with TeslaMate, a free open-source logging tool that lets Tesla owners connect to their vehicles and access previously hidden data.

TeslaMate relies on Tesla’s API to access owners’ cars, allowing owners to see things like energy consumption, driving statistics and so on. However, issues with the web dashboard’s security, and some misconfiguration by owners themselves, meant that over a hundred user dashboards were exposed online.

Colombo also discovered that it was possible to extract a user’s Tesla API key from an exposed dashboard — thereby granting ne’er-do-wells long-term access to vulnerable cars. The Tesla API key, for those that don’t know, is what allows Tesla owners to access the Tesla API.

Having an exposed API key meant vulnerable Teslas could be accessed remotely — allowing an interloper to access sensitive data or control various features on the car. That includes opening doors and windows, honking the horn, controlling music and lights, and even remotely starting the car with Tesla’s keyless-driving feature.

Colombo was quick to point out that remote access does not allow a hacker to remotely control the car’s steering, acceleration or brakes. Nor could a remote hacker intervene if someone was driving the car.

However, hackers could cause serious distractions mid-drive, including rickrolling the driver at max volume. That’s possible thanks to the Tesla YouTube app, and is obviously the kind of thing that could shock a driver into losing control of the car.

Colombo first mentioned this vulnerability on Twitter two weeks ago, but didn’t go into much detail in order to protect affected drivers. TeslaMate then reportedly pushed an update to fix the vulnerabilities within hours of Colombo reporting them. 

TeslaMate project maintainer Adam Kumpf told TechCrunch that it can’t protect against users accidentally exposing their systems to the wider internet — noting that TeslaMate has been warning users about the risks for some time. However, users who opt for the advanced installation have nothing to worry about.

Tom Pritchard
Tom Pritchard

Tom is the Tom's Guide's Automotive Editor, which means he can usually be found knee deep in stats the latest and best electric cars, or checking out some sort of driving gadget. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining that Ikea won’t let him buy the stuff he really needs online.