David Colombo made waves recently when he tweeted that he had gained remote control over a number of Tesla vehicles around the world. As part of a responsible disclosure, he recently explained how he did it and what it means for Tesla owners.
Colombo is a 19-year-old cyber security entrepreneur from Germany who has worked with RedBull, the U.S. Department of Defense, and others. Late last year, the company that he founded, Colombo Technology, was working with a software as a service company from Paris whose chief technology officer drove a Tesla.
While poking around, he ended up discovering a webpage called TeslaMate, which gave him all kinds of information about the owner’s car, including how long it had been asleep for, its state of charge, and its mileage.
So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…
— David Colombo (@david_colombo_) January 10, 2022
“I must say, I am a huge Tesla fan myself. So I really wanted to know what exactly this thing was,” Colombo wrote. “TeslaMate is a pretty cool application. A self-hosted data logger for Tesla’s [sic]. And it’s open-source, so you can find everything on GitHub.”
At first, though, it seemed like it could only display information about the car. But he was curious so he dug deeper and discovered that he could actually find the car’s driving data. That meant that he could see where the car had been, where it had charged, where it usually parks, the navigations requests, the history of software updates, and more.
“Me after seeing that: sorry what? 0.o,” he wrote. “This was… not good. And now I definitely knew this is an issue that I should report. I should not be able to know where the CTO of this SaaS company went on vacation last year.”
The discovery that TeslaMate could pull data made Colombo curious about whether he could send commands to the Tesla. He read its source code to figure out how authentication worked and found that control over a select set of vehicle actions could be accessed by using the oldest trick in the book.
“Ever heard about this distant cyber security issue called… ‘default passwords’? Yep, TeslaMate Docker’s Grafana installation comes with default credentials,” he wrote. “I took the shot and tried logging in with admin:admin which, kinda unsurprisingly, but still hilariously it worked.”
By doing that, he discovered that he could lock and unlock doors, honk the horn, change heating and cooling settings, and more. It would have even been possible to open some garage doors if they were connected to the more than 25 vehicles in 13 countries that he found he could access.
Although he could not control the steering, accelerator, or braking, Colombo still believes that this is a major safety issue.
“I also think it potentially could result in some dangerous situations on the road,” he wrote. “For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night.”
Actually, this is partially false. You can use the autosummon feature in a small radius and make the car hit something (potentially but you dont get to steer it) although it’d have to be an upgrade that they own. You could query this though.
— John Jackson 桜の侍 (@johnjhacking) January 11, 2022
Fortunately, Colombo reported his findings to Tesla and the wider world and, as of January 13, the affected users were contacted by the Tesla Security Team. He recommends checking your emails if you’ve ever had TeslaMate deployed.
Although Colombo says he did all of this to highlight securities flaws, he actually doesn’t think Tesla did a bad job or was even being particularly lax in its cybersecurity measures. This is a third-party issue and, although there’s always room for improvement (he makes a few suggestions in his article), he’s actually impressed with Tesla’s security and its response to this issue.
“Tesla is not responsible for owner or third-party issues. Luckily they still helped in remediating this and protecting the affected Tesla owners,” he wrote. “And maybe they’ll even implement some recommendations to give their users an even more secure experience.”
If you’re a Tesla owner who’s a little freaked out by all of this, Colombo has a few recommendations for you. First, you should be very careful who you give your credentials to. You should also enable Pin-to-Drive to prevent someone from stealing your car and you should update TeslaMate, which has been made more secure since he first disclosed this issue. You also should not “put random stuff on the internet.”
Looking forward, Colombo said he will continue researching security related to Tesla in order to keep it as secure as possible.
“Automotive security is a very important topic, especially as other automakers, such as VW, join in digitizing their fleets,” he concluded.