Endpoint Security , Governance & Risk Management , Identity & Access Management

Researcher Says Flaw Allows Remote Access to Teslas

Flaw Doesn't Affect Acceleration, Braking or Steering
Researcher Says Flaw Allows Remote Access to Teslas
A Tesla Roadster

A security researcher says he's discovered a software flaw affecting a small number of Teslas, allowing him to unlock doors and windows, start vehicles without keys and disable security systems.

See Also: Webinar | Level Up Your Security Stack: EDR vs Endpoint Privilege Management

David Colombo describes himself as a 19-year-old cybersecurity specialist who is based in Dinkelsbuhl, Germany. Early Tuesday, Colombo tweeted he'd been able to remotely access more than 25 Teslas in 13 countries without the owners' knowledge.

"It was crazy when I discovered this," Colombo tells ISMG. "I could see the owners going grocery shopping or driving to work, and I knew I would be able to control certain aspects of their vehicles."

Colombo says he was also able to query a vehicle's location, an obvious privacy concern. He says he can turn off Sentry Mode, which uses motion sensors and cameras as part of a security system.

Colombo also says he can also see if a driver is present, manipulate the entertainment system, honk the horn and much more. For example, he could see what name an owner has assigned a Tesla, which in one case Colombo tweeted is "Red Dwarf." But Colombo says he can't use the flaw to control steering, acceleration or braking.

Colombo says he wanted to disclose the issue to the owner of the cars, but he didn't know who owned the vehicles. Colombo says he has since been in contact with Tesla's security team and is working on a write-up describing the vulnerability. The issue he found has also been allocated a CVE by Mitre, which catalogs security vulnerabilities.

John Jackson, a senior offensive security consultant with SpiderLabs and founder of the independent security research group Sakura Samurai, says he's seen Colombo's findings and they're "legit."

"The findings, while not necessarily indicative of a Tesla-specific flaw, present a serious security concern, and there's a chance that some of these owners don't realize that they are exposing their vehicles," Jackson says.

Flaw Not on Tesla's Side

Colombo has not revealed the exact details of the vulnerability, but he tweeted a series of intriguing clues. For one, he tweeted that the vulnerability is not within Tesla's software or infrastructure. Also, he tweeted that only a small number of Tesla owners are affected.

There are a variety of third-party apps for Tesla's vehicles for features such as calculating performance metrics, maps and directions and for remote controls such as unlocking doors, flashing lights and honking the horn.

The finding would appear to pose tangential risks to drivers. Colombo theorized that he could suddenly blast music at the highest volume while someone is driving, which could cause someone to lose control of their vehicle.

Tesla runs a bug bounty program through Bugcrowd, a vulnerability disclosure platform. Tesla allows security researchers to register their own vehicles for security testing, which Tesla will preapprove. The company pays up to $15,000 for a qualifying vulnerability.

Tesla will also accept reports of bugs in third-party libraries or other external projects. According to its product security page, Tesla says it may forward those reports to those developers.

"We will do our best to coordinate and communicate with researchers through this process," Tesla says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.