Endpoint Security
,
Governance & Risk Management
,
Identity & Access Management
Flaw Doesn’t Affect Acceleration, Braking or Steering
A Tesla Roadster.
A security researcher says he’s discovered a software flaw affecting a small number of Teslas, allowing him to unlock doors and windows, start vehicles without keys and disable security systems.
See Also: Zero Trust Webinar: Research Insights Exploring the Actionable, Holistic & Integrative Approach to Security
David Colombo describes himself as a 19-year-old cybersecurity specialist who is based in Dinkelsbuhl, Germany. Early Tuesday, Colombo tweeted he’d been able to remotely access more than 25 Teslas in 13 countries without the owners’ knowledge.
Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.
Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.[2/X]
— David Colombo (@david_colombo_) January 11, 2022
Efforts to reach Colombo have not been successful.
But Colombo tweets he was also able to query a vehicle’s location, an obvious privacy concern. He says he can turn off Sentry Mode, which uses motion sensors and cameras as part of a security system.
Colombo says he can also see if a driver is present, manipulate the entertainment system, honk the horn and much more. For example, he could see what name an owner has assigned a Tesla, which in one case Colombo tweeted is “Red Dwarf.” However, Colombo says he can’t use the flaw to control steering, acceleration or braking.
Colombo tweets that he’s working on a writeup describing the vulnerability and has been in contact with Tesla’s security team. The issue he found has also been allocated a CVE by Mitre, which catalogs security vulnerabilities.
John Jackson, a senior offensive security consultant with SpiderLabs and founder of the independent security research group Sakura Samurai, says he’s seen Colombo’s findings and says they’re “legit.”
“The findings, while not necessarily indicative of a Tesla-specific flaw, present a serious security concern and there’s a chance that some of these owners don’t realize that they are exposing their vehicles,” Jackson says.
Flaw Not on Tesla’s Side
Colombo has not revealed the exact details of the vulnerability, but he tweeted a series of intriguing clues. For one, he tweeted that the vulnerability is not within Tesla’s software or infrastructure. Also, he tweeted that only a small number of Tesla owners are affected.
There are a variety of third-party apps for Tesla’s vehicles for features such as calculating performance metrics, maps and directions and for remote controls such as unlocking doors, flashing lights and honking the horn.
I am not going to disclose exact details until I was able to notify the owners and they were able to fix it.
We don‘t need random people going around messing with cars, because they read on Twitter how to do it.
— David Colombo (@david_colombo_) January 11, 2022
The finding would appear to pose tangential risks to drivers. Colombo theorized that he could suddenly blast music at the highest volume while someone is driving, which could cause someone to lose control of their vehicle.
Tesla runs a bug bounty program through BugCrowd, a vulnerability disclosure platform. Tesla allows security researchers to register their own vehicles for security testing, which Tesla will pre-approve. The company pays up to $15,000 for a qualifying vulnerability.
Tesla will also accept reports of bugs in third-party libraries or other external projects. According to its product security page, Tesla says it may forward those reports to those developers.
“We will do our best to coordinate and communicate with researchers through this process,” Tesla says.
Source: https://www.govinfosecurity.com/researcher-says-flaw-allows-remote-access-to-teslas-a-18292
