If your car suddenly honks by itself, locks windows and doors and plays videos loudly on the entertainment system, then something must be seriously broken. Or a hacker has managed to gain access to the car via the Internet and control some functions remotely. Some Tesla owners recently had this unpleasant experience – but were lucky in the end.
In this case, the hacker had no bad intentions, on the contrary: the discoveries have meanwhile closed some security gaps. At best, they will ensure that the owners of networked cars give more thought to IT security.
 |
| The World's Most Powerful Supercomputer |
We owe this to David Colombo, a 19-year-old IT security expert with his own company in Dinkelsbühl, Franconia. Almost two weeks ago, he first made it public on Twitter that he had access to 20 Teslas in ten countries. On Tuesday, he shared exactly how that came about in a lengthy blog post . The subtitle: How the hell did a 19-year-old from Germany manage to take over 25+ Teslas around the world?
It all started in October, when Colombo subjected a customer's system in France to a security check. There, behind a subdomain, he discovered an application that, on closer inspection, turned out to be an installation of software called TeslaMate, which the customer's head of technology had apparently set up.
Access thanks to standard login
TeslaMate is a so-called data logger that evaluates data from Tesla vehicles and presents them graphically to the owners. This gives them additional information about usage, such as power consumption and the routes of past trips.
 |
| A Cyberattack |
To do this, TeslaMate must be installed on its own server and then connected to a Tesla. Compared to other manufacturers, Tesla makes it quite easy to read the data, which is why there are numerous third-party applications that make use of it. TeslaMate is just one application among many.
The fact that Colombo could access the TeslaMate installation and see where the owner had last driven was not all. The expert wanted to know whether it was possible to send commands to the car via the software. After all, there was already a connection between the software and the car. After Colombo took a closer look at the TeslaMate source code, he actually managed to find the so-called API key that linked the car to the application.
 |
| Who Has Seen Your Profile |
Colombo was then able to access the TeslaMate graphical user interface by entering default credentials that are in effect as long as the user does not change them. From there, he could then run commands using the previously discovered API key. "That was the point where I could fully confirm that it is indeed possible that an outside attacker could perform these steps and end up having significant control over the CTO's Tesla," writes Colombo.
What does significant control mean? According to the researcher, attackers could not control the car remotely or apply the brakes in this way. However, he could still have "really annoyed" the owners if he had wanted to: He could, among other things, operate the horn and lights, play videos via the entertainment system and lock both the doors and windows and thus theoretically steal the vehicle. Thanks to the data contained in TeslaMate, the attackers finally know where the car is and where its owners live, work and shop.
 |
| WhatsApp Chat History |
After the young security researcher had informed his customer about the vulnerability, he wanted to know whether the problem could affect other Tesla owners. He ran an automated query that scanned the internet for other TeslaMate installations. In fact, he came across numerous other installations that were similarly unsafe. In the end, Colombo found around 300 Teslas that were presumably vulnerable. Colombo was able to confirm access to about 25 of them. He originally wanted to inform all owners about the vulnerability, but in most cases he couldn't find a way to contact them.
David Colombo therefore informed both the developers of TeslaMate and Tesla itself. TeslaMate has now released a new version that is intended to prevent unsafe installations. And Tesla has also confirmed that it will take care of the matter. As Colombo writes, all owners affected by the gap should have been informed by now.
They are said to have received new API keys in case the existing ones are compromised. Reports of thousands of Tesla drivers having their keys reset these days suggest the issue may have affected even more people than initially thought.
Connected cars attract cybercriminals
In the end, the story ended lightly because David Colombo quickly warned the relevant parties. But the thing shows once again the dangers that can emanate from networked cars. What began a few years ago with hackable radio keys is an increasing problem in the age of fully networked vehicles.
"Vehicles are gaining in intelligence, computing power and connectivity, which creates new attack scenarios for cybercriminals," says an analysis by the IT security company TrendMicro from last year, which deals with networked cars. According to the experts , a modern car has around 100 million lines of source code and up to 100 electronically controllable modules . WLAN and Bluetooth connections, but also personal SIM cards, which cars can now use to connect to the mobile Internet, open up new entry points for attackers. And developments in the field of autonomous driving in particular require that more and more data leave the vehicle and be shared with third parties.
Colombo writes that it was "basically a chain of problems" that led to the partial takeover of the Teslas in the current case: "The owners, the third-party provider and Tesla itself could have taken steps to prevent all of this." The owners should always question who and which apps they give access to the vehicle and keep this software up to date. In addition, they should activate a function called Pin to Drive, where you can only start driving after entering an additional pin. App developers should pay even more attention to security and always save API keys in encrypted form.
And Tesla? The carmaker might want to rethink the way the API keys are exposed. "These are basically car keys," writes Colombo. Therefore, the owners should always know where they are stored.
Do You Know What We Have Posted on
0 Comments