In what could put Tesla drivers at high-security risk, a security researcher took remote control of at least 25 Tesla cars in 13 countries without the owners’ knowledge.
He could disable Sentry Mode, open the doors/windows and even start Keyless Driving. This was “pretty dangerous, if someone is able to remotely blast music at full volume or open the windows/doors while you are on the highway”.
The Germany-based security researcher, David Colombo, said in a tweet thread that he was able to remotely access dozens of Teslas around the world because of security bugs found in an open-source logging software called ‘TeslaMate’.
TeslaMate is a free-to-download logging software used by car owners to connect to their vehicles and access their cars’ data.
This tool exposed Tesla cars directly to the Internet.
“This is not a vulnerability in Tesla’s infrastructure. It’s the owners’ faults,” Colombo said.
“Nevertheless I now can remotely run commands on 25+ Teslas in 13 countries without the owners’ knowledge,” he added.
“I could also query the exact location, see if a driver is present and so on. The list is pretty long,” he mentioned.
“Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers,” he continued.
Tesla’s security team later told the security researcher they were investigating the matter.
The bug has now been fixed but this raises grave questions about what if such tools are hacked by state-sponsored cybercriminals.
It is even possible to extract the Tesla users’ API key from the exposed dashboard, allowing a hacker to retain access to Teslas without the owners’ knowledge.