How was the 'third-party software vulnerability that could hijack some features of a Tesla car' discovered?
In January 2022, it was reported that some functions of a car could be hijacked from the outside by taking advantage of the vulnerability of third-party software released for Tesla cars. Security researcher David Colombo, who discovered a critical vulnerability at the age of 19, talks about how he discovered the vulnerability.
How I got access to 25+ Tesla's around the world. By accident. And curiosity. | By David Colombo | Jan, 2022 | Medium
The third-party software vulnerabilities discovered by Colombo include unlocking the security features of Tesla cars, 'Sentry Mode, ' opening and closing doors and windows, starting keyless driving, operating car audio systems, and sharing videos with vehicles. It is said that such things will be possible. When Colombo reported the vulnerability on Twitter with the software name and details hidden, many people responded.
There is a vulnerability in software for Tesla that can hack car functions --GIGAZINE
Initially, the details of the software were hidden, but after the software problem was fixed, Colombo published a blog reporting the details of the vulnerability and how it was discovered. It seems that the vulnerability was found in a dashboard tool called 'TeslaMate' that can access data including the driving history and location information of the Tesla car, and Colombo says that it is not the software that comes with the Tesla car itself from the beginning. Emphasizes.
Mr. Colombo started coding at the age of 10 and jumped into the world of cyber security, and from the age of 15, he received special permission to reduce the number of days he attends school and started his own cyber security company. Colombo Technology, launched by Colombo, is a company that provides services such as security audits, penetration testing, vulnerability scanning, and security consulting for enterprises. Since then, Colombo says he has discovered vulnerabilities in Red Bull, the Pentagon, and other nondisclosure agreements.
In October 2021, Colombo, who tried to contact a Colombo Technology client, was conducting a preliminary survey of the services and platforms used by the client. In the meantime, Colombo, who happened to succeed in accessing the Tesla Mate screen from a browser, conducted further research because he was originally a fan of Tesla cars. He said that he investigated the source code of TeslaMate, which is open source, and found a way to access the dashboard using Grafana for data display.
Here is a screenshot taken by Colombo who actually accessed the Tesla Mate dashboard. It seems that the Tesla Mate that was the subject of the survey was used by the Tesla car owned by the CTO of the client company, and the place where the Tesla car visited mainly in Paris is clear including the route. 'I was able to see a lot of data, where the Tesla car was, where it was charged, where it was usually parked, when it was driven, and at what speed, Colombo said. Maybe you used navigation, software update history, the weather where the Tesla car was, etc. '' You shouldn't know where this CTO visited last year on vacation, 'Colombo said.
However, although Colombo knew that it was a problem that should be fully reported at this point, he was curious that 'Is it possible to use this vulnerability to send commands to Tesla cars?' It seems that he decided. After that, I read the source code of Tesla Mate, which is open source, and investigated how Tesla's credentials are handled and where to store the API key of the Tesla car, and the API key is encrypted. It turns out that it is stored in the same location as the other data.
And Mr. Colombo confirmed that he could log in to Grafana with the default credentials and use the API token from the outside to operate some functions of the Tesla car. You cannot operate the steering, accelerator, brakes, etc. using this vulnerability, but you can steal a Tesla car by unlocking the door and starting keyless driving. Colombo also points out that it could be a dangerous situation on the road, as you could play music with a roaring sound while driving to surprise the driver or mess with the lights at night. ..
Colombo finally contacted the client's CTO when he was convinced that an outside attacker could operate the CTO's Tesla vehicle in a similar procedure. This was October 29, 2021, but Colombo, who was still concerned about the TeslaMate vulnerability, searched the Internet for the TeslaMate dashboard, which was affected again on January 9, 2022. As a result, it was possible to access the Tesla Mate installed in more than 25 Tesla vehicles in 13 countries in just a few hours.
Initially, Colombo tried to personally contact the owner of a Tesla car that remained vulnerable to Tesla Mate, but this was so difficult that he was frustrated on January 10th, saying, 'I'm in 10 countries. I have full remote access to more than 20 Tesla cars in, but there is no way to find and notify the owner. ' In addition, since the writing 'has full remote access' is incorrect, he later apologized 'I'm really sorry' for causing a great deal of confusion.
So, I now have full remote control of over 20 Tesla's in 10 countries and there seems to be no way to find the owners and report it to them…
— David Colombo (@david_colombo_) January 10, 2022
Understanding that there was no legal way to get the contact information for the affected Tesla car owner, Colombo contacted Tesla's security team on January 11, and the security team removed the offending API token. , The affected Tesla car owner was notified by email. In addition, since Tesla deleted thousands of API keys, Colombo said that this vulnerability may have affected a wider range than originally imagined.
Although this vulnerability does not exist in Tesla's infrastructure, Tesla can implement improvement measures such as adding multiple API scopes and canceling API tokens when the account password is reset. Pointed out. He also argued that although TeslaMate was vulnerable, it was a great piece of software by developers and maintainers, and they didn't want to hold them entirely responsible.
Related Posts:
