Connected cars are more popular than ever, especially since they offer a great many high-tech features to make the driving experience more enjoyable. However, more connectivity means more room for possible exploitation, as this story shows.
Security researcher David Colombo discovered a vulnerability that could allow someone to remotely access a Tesla. In fact, Colombo himself is said to have had access to over 25 different Tesla cars in 13 countries — all without alerting the respective owners. (Colombo said he had no way to reach them.)
The good news is that this vulnerability is not an issue with Tesla's infrastructure. In fact, Colombo told TechCrunch and explained in a blog post that the issues lay with TeslaMate, a free open-source logging tool that lets Tesla owners connect to their vehicles and access previously hidden data.
TeslaMate relies on Tesla’s API to access owners’ cars, allowing owners to see things like energy consumption, driving statistics and so on. However, issues with the web dashboard’s security, and some misconfiguration by owners themselves, meant that over a hundred user dashboards were exposed online.
Colombo also discovered that it was possible to extract a user’s Tesla API key from an exposed dashboard — thereby granting ne’er-do-wells long-term access to vulnerable cars. The Tesla API key, for those that don’t know, is what allows Tesla owners to access the Tesla API.
Having an exposed API key meant vulnerable Teslas could be accessed remotely — allowing an interloper to access sensitive data or control various features on the car. That includes opening doors and windows, honking the horn, controlling music and lights, and even remotely starting the car with Tesla’s keyless-driving feature.
Colombo was quick to point out that remote access does not allow a hacker to remotely control the car’s steering, acceleration or brakes. Nor could a remote hacker intervene if someone was driving the car.
However, hackers could cause serious distractions mid-drive, including rickrolling the driver at max volume. That’s possible thanks to the Tesla YouTube app, and is obviously the kind of thing that could shock a driver into losing control of the car.
Colombo first mentioned this vulnerability on Twitter two weeks ago, but didn’t go into much detail in order to protect affected drivers. TeslaMate then reportedly pushed an update to fix the vulnerabilities within hours of Colombo reporting them.
TeslaMate project maintainer Adam Kumpf told TechCrunch that it can’t protect against users accidentally exposing their systems to the wider internet — noting that TeslaMate has been warning users about the risks for some time. However, users who opt for the advanced installation have nothing to worry about.