Tesla: German teenager hacks third-party app to start cars, play music and flash headlights

A German teenager claims to have found a way to hack into an app installed in some Teslas that allows him to track cars, unlock doors, flash headlights, play music and even start driving without a key.

The third-party TeslaMate app is used by some Tesla owners to store and analyze their vehicle data. But David Colombo, 19, says it’s also allowed him to track vehicle owners’ locations throughout their day, find where they usually park, hours driven, journey speeds and even a history weather around. the Tesla.

Watch the video to see a fleeing Tesla cause carnage in Paris

He was able to access 25 Teslas that use the app, and while he was able to start cars, he had no access to steering, braking or accelerating, which could be particularly dangerous.

The exploit unlocked a litany of potential unwanted possibilities for drivers, Colombo said.

“Imagine the music blasting to maximum volume…or imagine every time you unlock your doors, they lock again,” Mr Colombo wrote in a blog post detailing the hack.

Mr. Colombo immediately reported the issue to Tesla’s security team, who he said confirmed the vulnerability and said they would take action.

Since there was no legal way for Mr Colombo to find the owners’ identities, he tweeted about the hack, which alerted one of Tesla’s owners in Ireland that his car was being accessed remotely.

A tweet about the hack alerted one of Tesla’s drivers in Ireland that his car was being accessed remotely. Credit: David Colombo

Mr. Colombo is the founder of a cybersecurity companyand it’s not uncommon for security researchers to search for software vulnerabilities for potential compensation.

Tesla offers cash incentives to people who report flaws in its software, but Colombo said he was not paid because the vulnerability was in a third-party application, not Tesla’s infrastructure.

(TeslaMate and Tesla did not respond to a request for comment.)

The 2021 Tesla Model 3 (file image)
A German teenager claims to have found a vulnerability in an application installed in certain Teslas, allowing him to remotely control some of the key functions. File picture. Credit: PA

Teslas have been pirate before. But cybersecurity experts believe this is the first time a vehicle has been hacked through an app that has gained direct access to certain vehicle controls and data.

They warn that the automotive industry must mature, as there are growing risks with in-vehicle applications becoming increasingly popular.

“(Automakers) need to think about self-defense cars before self-driving cars,” Digicert Vice President Srinivas Kumar said CNN Business. “If a car can’t defend itself against an attack, do you think it’s autonomous?”

Mr Colombo also claimed during the hack that he was prompted for authentication, but the default credentials in the TeslaMate app allowed him to guess a generic password, opening the door to more data and control.

“I took the hit and tried logging in with admin:admin which unsurprisingly, but still hilariously, it worked,” Colombo said.

A message to Elon Musk

“Hey, uh…I have a serious cybersecurity question!” Just had a look at a Model 3 and can’t find the ‘press on hack to cut server connectivity’ button you were talking about,” Colombo tweeted at Elon Musk.

He was referring to Mr. Musk’s thoughts on cybersecurity, shared at the 2017 National Governors Associationn meeting, where he said, “I think one of the biggest risks for self-driving vehicles is someone doing a fleet-wide hack.”

“You know, in principle, if someone was able to hack, say, all the self-driving Teslas, I mean even as a prank, they could, say, send them all to Rhode Island. Well, that would be the end of Tesla.

“We need to make sure that a fleet-wide hack is fundamentally impossible, and if there are people in the car, that they have overriding authority over whatever the car does,” said Mr Musk.

“So if the car does something crazy, you can press a button that no software can replace.”

“In a Perfect World”

Mr Colombo said preventing future hacks will require collaboration between automakers, app makers and car owners.

One way to prevent a hack of this nature, he said, would be for Tesla to further restrict app access to data and commands.

“In a perfect world,” Colombo says, apps accessed from an app store “wouldn’t have access to anything critical.”

Right Chevron Icon

“If a car cannot defend itself against an attack, do you think it is self-driving” – Srinivas Kumar, Vice President of DigiCert

From Domino’s to Pandora, third-party apps are increasingly available in new cars, with new models offering a range of apps on their infotainment systems.

Tesla hasn’t officially launched a way for app makers to add apps to its vehicles, but Tesla tech enthusiasts have written about how to do it.

Automakers should carefully consider apps that might end up on their vehicles to ensure safety, and drivers should also be careful before downloading apps to their car systems.

The CEO of Israeli cybersecurity firm GuardKnox, Moshe Shlisel, said automakers should carefully consider the apps that end up on their vehicles to ensure security. “This is a wake-up call for the whole industry.”

He expects the cars of the future to have hundreds of thousands of apps to choose from.

“Right now it’s open season,” Shlisel said.

Colombo will continue researching Tesla-related security and hopes that Tesla owners and their cars can be as secure as possible.

– With CNN

About Donald J. Beadle

Check Also

New Profile Pic app: Does Russia collect personal data from Facebook users?

It’s a new internet craze that turns your Facebook profile picture into a painting or …