German hacker David Colombo found a way to get into Tesla’s mobile app, which allowed him to control 25 cars in 13 different countries to some extent. He was able to turn off cameras, unlock doors, open windows, check the precise location of the car, and even – with the physical presence in the cabin – start driving.
The users of the TezLab application are at fault
As Colombo himself explains, the problem did not concern Tesla’s infrastructure or the security of the application itself. It was the users who allowed their car to be controlled by additional external software called TezLab. TezLab uses the manufacturer’s API to read the status of vehicles – and the hacker came from this side, found vulnerabilities in the TezLab software (source).
The developers of TezLab admitted that they noticed that on Wednesday, January 12, several thousand tokens enabling access to Tesla’s API expired at the same time. All after Colombo contacted the producer informing him of the problem.
The hacker admits he couldn’t drive the cars remotely, so there was no option for him to attack the Capitol (or the Kremlin) with a hundred Tesla. But it had the same capabilities that someone with the manufacturer’s mobile app had: he could crank up the music, honk, flash lights, open windows – all while driving. After reading the car’s location, he could come to it, get in and drive (source), exactly the same as Reader Bronek did with his watch:
Note from the editors of www.elektrowoz.pl: this is how it is when we give external applications access to the most crucial data …
This may interest you: