A security researcher said he was able to remotely access dozens of Teslas around the world because security bugs found in an open-source logging tool popular with Tesla owners exposed their cars directly to the internet.
News of the vulnerability was first revealed earlier this month in a tweet by David Colombo, a security researcher in Germany, who said he had “full remote control” of more than 25 Teslas, but was struggling to disclose the issue to affected Tesla owners without making the details public and also alerting malicious hackers.
The bug is now fixed, Colombo confirmed. TechCrunch held this story until the vulnerability could no longer be exploited. Colombo published his findings in a blog post.
Colombo told TechCrunch that the vulnerabilities were found in TeslaMate, a free-to-download logging software used by Tesla owners to connect to their vehicles and access their cars’ otherwise hidden data — their car’s energy consumption, location history, driving statistics, and other granular data for troubleshooting and diagnosing problems. TeslaMate is a self-hosted web dashboard often running on the home computers of Tesla hobbyists, and relies on access to Tesla’s API to tap into their car’s data, which is tied to the car owner’s account.
But security flaws in the web dashboard — like allowing anonymous access and using default passwords that some users never changed — coupled with misconfigurations by some Tesla owners resulted in at least a hundred TeslaMate dashboards being exposed directly to the internet, including the car owner’s API key used to remotely control their Teslas.
In a call with TechCrunch, Colombo said the number of impacted Teslas is likely higher.
Colombo said he discovered that TeslaMate dashboards were unprotected by default after stumbling on an exposed dashboard last year. After scanning the internet for more open dashboards, he found exposed Teslas in the U.K., Europe, Canada, China, and across the United States.
But contacting individual Tesla owners with exposed dashboards would be a herculean task, Colombo explained, and in many cases, it’s not possible to accurately discern a way to contact affected Tesla customers.
Worse, it was possible to extract the Tesla users’ API key from the exposed dashboard, allowing a malicious hacker to retain long-term access to Teslas without the drivers’ knowledge. (An API allows two things to talk to each other over the internet — in this case, a Tesla car and company’s servers, the Tesla app or a TeslaMate dashboard.) Access to Tesla’s API is restricted to Tesla owners through a private API key associated with the owner’s account.
With access to an exposed API key, Colombo said he could remotely access some features of the car, such as unlocking the doors and windows, honking the horn, and starting keyless driving, which he verified with one Tesla owner in Ireland. He could also access the data inside, such as the car’s location data, recent driving routes and where it’s parked. Colombo said he does not believe it’s possible to use the API access to move the vehicle remotely over the internet.
Colombo said that while the security issues weren’t in Tesla’s infrastructure, Tesla could do more to improve its security, such as revoking a customer’s API key when their password is changed, an industry-standard practice.
After privately reporting the vulnerabilities, TeslaMate pushed a software fix that users have to manually install to prevent access. TeslaMate project maintainer Adrian Kumpf told TechCrunch that the update went out within a few hours of receiving Colombo’s email. In an email, Kumpf said that since the software is self-hosted, it can’t protect against users’ accidentally exposing their systems to the internet, adding that TeslaMate’s documentation has long warned users to install the software “on your home network, as otherwise your Tesla API tokens might be at risk.” Kumpf also said that users who chose the advanced installation option should not be affected.
Colombo told TechCrunch that Tesla revoked thousands of drivers’ API keys, potentially indicating that the issue may have been more widespread than initially thought. Tesla did not respond to requests for comment prior to publication. (Tesla scrapped its public relations team in 2020.)