Earlier this month, 19-year-old David Colombo (@david_colombo_) revealed he was able to hack into and gain “remote control” over 25+ Tesla cars in 13 countries without the owners’ consent or knowledge using a security vulnerability he discovered.
Now that the pertinent authorities have been informed and the security flaws he discovered have largely been patched, Colombo has published a detailed write-up explaining exactly how he was able to hack his way into more than two dozen Teslas (and uncover a vulnerability affecting many more) by “accident” and “curiosity,” as he puts it.
The German cybersecurity expert was able to gain access to Teslas thanks to a combination of exploits he found for the third-party TeslaMate companion app that many owners are fond of (all of which have since been patched in version 1.25.1 of the app) and Tesla owners’ indolence in changing default passwords, although he notes Tesla itself “could have done steps to prevent this all from happening.”
Once he had gained access to a Tesla that was vulnerable to this exploit, Colombo was able to:
Renowned cyber security researcher John Jackson said on Twitter that it would also have been possible to use the “Summon” feature to get the car moving, although in a small radius and without actual steering control, with this kind of access.
Actually, this is partially false. You can use the autosummon feature in a small radius and make the car hit something (potentially but you dont get to steer it) although it'd have to be an upgrade that they own. You could query this though.
— John Jackson (@johnjhacking) January 11, 2022
Here’s how Colombo gained access to random Teslas all around the world, condensed into a step-by-step guide by the hacker himself:
- Run an internet-wide search for TeslaMate instances (search e.g. for the MQTT brokers).
- Make sure they run with the insecure default Docker configuration (this should be fixed by now, as user please pull the latest version asap).
- Go to port 3000 to access the Grafana dashboard.
- Login using default credentials (of course only do that with explicit authorization).
- Go to the Explorer tab.
- Use the Query Builder to extract the API and refresh tokens.
- Have fun playing around with a Tesla (of course only with vehicles you own).
Once again, do note that the vulnerability Colombo originally exploited has since been patched, so this is now only possible to do with a Tesla you own and/or have the right TeslaMate credentials for.
After discovering the security hole, Colombo worked with both Tesla and the developers of TeslaMate to get things stitched up and prevent any potential malicious exploitation.
