1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • These software flaws could have left your Tesla open to anyone

    From TechnologyDaily@1337:1/100 to All on Tue Jan 25 21:15:04 2022
    These software flaws could have left your Tesla open to anyone

    Date:
    Tue, 25 Jan 2022 20:50:33 +0000

    Description:
    Free logging software exposed Tesla APIs, allowing a researcher to take "full control" over dozens of vehicles.

    FULL STORY ======================================================================

    A vulnerability in a logging software used by Tesla car owners, paired with some poor security practices by the same owners, allowed a cybersecurity researcher to take full control of more than 25 vehicles. No malware was necessary, and no antivirus software would be able to detect the issue.

    In a blog post , German researcher David Colombo revealed how the vulnerability allowed him to unlock the doors and windows, disable the Sentry mode, honk the horn, and even start keyless driving.

    The vulnerability, which has since been patched, was found in the tool called TeslaMate. Its a free logging software that Tesla owners can install on their endpoints to gain access to data such as energy consumption, energy history, or driving statistics. Its a self-hosted web dashboard that needs access to Teslas API, which is where the problem lies. Revoking APIs

    The dashboard allowed anonymous access, and came with a default password setting which many users did not change. By extracting the Tesla API, through the dashboard, Colombo managed to keep his access to the vehicle, and also gain access to data such as location, recent driving routes, or parking locations.

    Luckily enough, the researcher doesnt believe the vehicle could be moved this way, but being able to flash the cars light while it drives on the highway is dangerous enough.

    Colombo found unprotected cars in the UK, Europe, Canada, China, and the States.

    While this is not directly a security omission on Teslas end, there are a few things the company could do to keep its customers safe, the researcher
    claims, including revoking the API when the password is changed, which is industry-standard practice.

    After discovering the problem, Colombo managed to get in touch with
    TeslaMates creators and have them issue a patch. Talking to TechCrunch , TeslaMate project maintainer Adrian Kumpf said the patch was built within hours of receiving Colombos heads-up.

    Still, Kumpf stressed that the software is self-hosted and cant protect against users accidentally exposing their systems to the internet. TeslaMate comes with a warning that the software should be installed on your home network, as otherwise your Tesla API tokens might be at risk.

    Still, the patch needs to be manually installed. You might also want to check out our list of the best firewalls available now

    Via: TechCrunch



    ======================================================================
    Link to news story: https://www.techradar.com/news/these-software-flaws-could-have-left-your-tesla -open-to-anyone/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)