While the age of “digital joyriding” by remotely hacking a car’s steering input is not yet upon us, a big step in that direction has been taken (if a teenage hacker is to be believed). A 19-year-old “security specialist” has claimed to have found a vulnerability in third party software used by certain Tesla vehicles, which allows the remote control of certain functions such as the engine and the security system.
Remote control threat poses serious danger to Tesla owners
David Colombo, a “white hat” hacker residing in Germany, claims that the vulnerability grants access to a variety of the systems that a legitimate owner might use their remote controls for.
Colombo outlined the vulnerability in a series of tweets, providing screenshots and video as evidence of his claim. He says that the flaw allows a remote hacker to start the engine, unlock doors and windows, and turn off security systems. It can also access the car’s interior video cameras and sensors to see if a driver is currently present, activate the headlights and turn on the sound system (including controlling the volume).
As Colombo pointed out, suddenly blasting music at top volume or flicking the headlights and horn on and off could pose a serious risk to both the driver and others on the road. Let alone the possibilities for espionage and theft that such a vulnerability opens up. One of Colombo’s tweets suggested that there was a possibility of being able to steer a vehicle after remote starting it in this way, but that he would not be able to cut in and interfere with the steering of a vehicle already being operated. He also specified that the vulnerability did not create an opportunity to control acceleration or braking.
The issue originates with a piece of third party software that Tesla only uses in certain car models. Colombo was able to locate 25 individual vehicles in 13 countries that he was able to access; he also contacted most of these vehicle owners directly to warn them of the flaw. One of his video demonstrations on Twitter involved one of these owners, who filmed the hacker remotely honking his vehicle’s horn.
The remote control vulnerability appears to involve API keys for this piece of third party software, which was not named due to security concerns (the software developer apparently has not patched the issue as of yet). The full list of impacted models is similarly being kept under wraps, but Colombo’s initial twitter thread revealed that a Model Y in Los Angeles and a Model 3 somewhere were among the vehicles he had access to.
Another possibility is that Colombo is not referring to third party software embedded in the vehicle itself, but a type of optional aftermarket app (such as TeslaFi) that some owners opt to use for various added functionality. The issue did not seem to be with passwords or the lack of two-factor authentication, however, as Colombo mentioned in one of his tweet replies.
The third party software in question may have been TeslaMate, a self-hosted data logger, as Tesla suddenly deprecated thousands of authentication tokens the day after Colombo posted his Twitter thread and notified them. Some other Twitter users supported this idea, noting that the default configuration of the app left open the possibility of anyone gaining remote access to the vehicle. This also tracks with Colombo’s initial tweet claiming the vulnerability was “the fault of the owners, not Tesla.”
The Tesla Security Team has announced that it is investigating the remote control issue. Colombo has also notified nonprofit vulnerability tracking organization MITRE and is preparing a detailed written write-up of the third party software flaw.
Third party software vulnerabilities make the leap to vehicles
Lotem Finkelstein, Head of Threat Intelligence and Research for Check Point, sees this as a worrying development and one that should prompt auto makers to ensure that apps with remote control access to their vehicles have strong default security that does not rely on user configurations: “Can we really expect users to be familiar with the software configuration of a complex and highly technically advanced product like a modern automobile? Surely cars, of all things need to be secure ‘out of the box’ and secure to the highest standards. It should not be possible for the driver to allow remote access to their vehicle either by a given action or indeed inaction. That said, I can foresee a future where users will need to assume some responsibility for the cyber safety of their vehicles … In the same way that we expect to be proactive in protecting our laptops and phones, I suspect we will need to take a more hands-on approach to ensuring our cars are protected from cyber-attacks. Indeed, when the lives of ourselves and our families are in danger, users will start to demand a level of personal control over such risks.”
Colombo has also suggested more granular access for the end user built into the API, with separate authentication tokens for different functions that are subject to remote control. “Critical” elements such as the door locks and engine would have a different token scope than the less potentially damaging accessories (like interior warmers).
In the meantime, it remains unclear exactly what the resolution to the remote control issue will be. The issue may not end up being listed as a vulnerability if it is technically a matter of operator error in setting configuration options (or failing to update the default ones). While the interested elements of the security community seem to be in general agreement that TeslaMate is the mystery third party software that was compromised, it is not clear that the developer would be under any legal obligation to issue a patch. Changing its default settings or issuing a prominent warning to users might be enough, but it’s not clear that even that much will happen. Ultimately, Tesla owners may have to simply use this incident as a reminder to check any third party software that they decide to use with their car very carefully.