Teen Hacker Finds Bug That Lets Him Control 25+ Teslas Remotely

An anonymous reader quotes a report from Ars Technica: A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday. David Colombo explained in the thread that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owner's faults." He claimed to be able to disable a car's remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car's exact location.

However, Colombo clarified that he could not actually interact with any of the Teslas' steering, throttle, or brakes, so at least we don't have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment. Colombo says he reported the issue to Tesla's security team, which is investigating the matter.

Lemme guess

[ravenshrike]

They changed their passwords to 1234.

Re:

[DontBeAMoran]

"Tesla12345"

He should really cut that out

[WillAffleckUW]

My sister's getting annoyed at her rear camera cutting out

Re:

[skullandbones99]

I think there is a recall out for the cable to the rear view camera becoming damaged which causes a loss of power to the rear view camera. I suggest you contact Tesla service.

Re:

[quonset]

I think there is a recall out for the cable to the rear view camera becoming damaged which causes a loss of power to the rear view camera. I suggest you contact Tesla service.

You are correct. There is a recall of nearly 500,000 Tesla vehicles due to poor manufacturing [cbsnews.com]. One recall is for the camera issue stated above due to closing the trunk causing worn wires (think about that for a moment), and the other is for the front hood spontaneously popping open while driving because the latch fails.

Can't wait for the fake wood [slashdot.org] to desintegrate.

Re:

[ArchieBunker]

Meanwhile https://en.wikipedia.org/wiki/... [wikipedia.org] actual deaths and settlement cash.

Re:

[MachineShedFred]

You know that literally every single car manufacturer ends up with safety recalls and tech bulletins to fix shit, right?

As it turns out, manufacturing an incredibly complex machine for "regular people" to operate daily for a decade is *really* hard to do with no flaws whatsoever.

Re:

[quantaman]

This is a non-story. He got access tokens from clueless owners' Teslas.

If you have access token, you can do all those things until token is revoked. The easiest way to revoke tokens is by changing account password.

When it comes to customers it's a good rule of thumb to assume a lot of them will be clueless. But I'm not sure that's the case here.

In this case it sounds like Tesla has some kind of API for 3rd party applications to interact with the vehicle [twitter.com] and one of those 3rd party apps had a confusing UI leading to users getting exploited.

If that tweet is accurate I would say it is Tesla's fault.

One the reasons Tesla is so popular is they're innovating way faster than other car companies. One of the risks with that st

Re:

[psergiu]

If idiots are not able to secure their api key (it's just longer password, dummy) that shouldn't impact my use of the API.
Since this is a car thread, let me do a gun analogy - because some idiots are not able to keep their guns secure and bad actors are stealing them for bad purposes, that doesn't mean that everybody should give up their guns. Right ?

Re:

[DamnOregonian]

Shit analogy. Really, really, shit analogy.

Let's call it what it really is.
It's like clicking a link in Facebook back in the day that asks for permission to "connect to your FB account for the purposes of playing a game"
It then siphons off all of your data and submits it to some third party... like Cambridge Analytica.

Ultimately, yes, the buck stops with the end user.
However, that doesn't mean we get to ignore the implications of a system that's begging for idiots to give control of their car to nefa

Re:

[MachineShedFred]

So it's Tesla's fault that they published an API that requires pretty good security to access and use, and the owners gave access tokens to a less than reputable actor who then used that API?

This is like blaming Ford because some muppet left their F150 running with the doors unlocked in their driveway, and someone happened by and stole it.

Re:

[DamnOregonian]

Na, it's really not.

It's more like some piece of malware pretending to be a legitimate app getting the user to grant it elevated privileges via UAC, gksudo, or whatever.

Which.... happens.
And I agree, there isn't much you can do about it. People are gonna be stupid.

However.
That doesn't mean you ignore the fact that it can happen, particularly in the context of this being... well, a car. Not a computer.

Re:

[bloodhawk]

not really a non story then. The average computer user is clueless, the average car owner even more so. Tokens should have controls around them of when how and where they can be used and should have very very short lifetimes in scenarios like this.

he reported the issue to Tesla's security team

[fustakrakich]

Hope he doesn't get arrested for it...

Re:he reported the issue to Tesla's security team

[93 Escort Wagon]

Hope he doesn't get arrested for it...

No, Elon will just tweet something that implies the kid is a pedophile.

Re:

[quonset]

Hope he doesn't get arrested for it...

No, Elon will just tweet something that implies the kid is a pedophile.

Why would pedo guy do that? Does he have evidence?

Re:he reported the issue to Tesla's security team

[earl pottinger]

That is just an idiot post. Tesla and Elon pay hackers big bucks for finding faults in their system. Try: https://electrek.co/2020/01/10... [electrek.co] for example. They paid $700,000 dollars and free cars to hackers who show they how they did it. AND IT IS 100% LEGAL. Okay,okay, you do have to watch out for the tax man. Also: https://techcrunch.com/2019/03... [techcrunch.com] There is money to be made white hacking Tesla cars.

Re:

[cthulhu11]

If he did, RMS and Marjorie Taylor Greene would support the kid.

Re:

[DamnOregonian]

Yup. Federal crime in the US, with sentences measured in years.

It's fucking scary. Don't fuck with computers that aren't yours. That includes the ones in peoples' cars.

API tokens where is the 3rd party repair access ap

[Joe_Dragon]

API tokens where is the 3rd party repair access apis?

still waiting for an answer...

[rogoshen1]

why must a car be connected to the internet in any capacity?
why does it need software updates?
why does it need telemetry and tracking?

can you disable this nonsense? i like the idea of a tesla, but the privacy aspect is a deal breaker.

Re:

[Rayfield k.]

As always, the answer is Miata.
https://engineswapdepot.com/?p... [engineswapdepot.com]
https://m.youtube.com/watch?v=... [youtube.com]

Re:

[MachineShedFred]

And you probably posted that while having an Android device in your pocket wherever you go. Because Google has never used personal data to make money.

Re:

[King_TJ]

Seriously? I'm assuming you already know the answer to these questions, if you're savvy enough about tech to even read Slashdot in the first place.

But in a nutshell? A Tesla has two separate computer systems; one for the infotainment center/touch-screen, and the other a discreet system that handles the autopilot/self-driving capabilities.

The software updates Tesla pushes out over wi-fi (or a cellular LTE network in cases where they're not too large) are to improve the touch-screen infotainment experience.

Re:

[rogoshen1]

Okay, so you need the OTA updates for features that are gimicky, not-necessary, and just kind of silly. (i contend that a freaking tablet in the center console is in all ways inferior to tactile knobs, and having instrument clusters directly above/behind the steering wheel is still wise). And, at the end of the day, it's still just a car.

it's interesting the amount of pearl clutching caused by someone having the audacity to hold a phone in their hand while driving; yet silly infotainment gadgets like the ab

Re:

[psergiu]

Example of free OTA updates I received since i got my M3 2 years ago:
- Optimization of regenerative charging and improvements in power usage, adding 10 miles of range to the car.
- Option of also view-ing side cameras while reversing ( very useful when backing out of a parking spot)
- Voice commands for almost every operation done in the UI. And improvement to the voice commands (original version had issues with my accent, latest ones understand everything)
- AutoPilot recognizing speed limit signs and using t

Re:

[micheas]

How to adjust the wipers:

• tap wiper stalk on steering wheel
• tap the popup on the display that I can reach without taking my hand completely off the steering wheel if I tap it with my right pinkie
• done

Learn how to use the controls of a car before driving the car. No matter what car it is. Yes, you can get to the wipers by going through three menus, but that isn't how you should get to them while driving. I'm sure that there are convoluted secondary ways to get to controls in other cars as well.

As far as I kn

Re:

[sabt-pestnu]

I'm still not sold on replacing simple mechanical devices with electronics that drive more complex mechanical devices. ... with a very very few exceptions, like ignition (fuel injection).

Re:

[MachineShedFred]

First, the speedometer is *never* covered. Ever.

Second, while the new update has made some settings harder to get to (which I find really fucking annoying, but that's probably because I was used to where they used to be after driving a Model 3 for 2+ years), there is a physical button to make the wipers do a swipe of the windshield immediately on the end of the turn signal stalk. Also, you can use the voice thing to adjust the wipers - "set wipers to 2", "turn on wipers", "set wipers to auto" etc. work ju

Re:

[stabiesoft]

And the brake system. https://www.theverge.com/2018/... [theverge.com] If you can fix them OTA, you can break them OTA.

Re:

[DamnOregonian]

Such a good pun missed there.

Re:

[AmiMoJo]

Tesla does update the autopilot features over the air. They upgrade and downgrade them quite often, in fact. Sometimes you get new features or improved operation, other times they disable features due to regulatory issues or accidents.

That is except for in Japan, where the regulator forbid it.

Re:

[ewibble]

I don't think you are right, from tesla.com (I don't think you can get more authoritative than that) https://www.tesla.com/en_NZ/mo... [tesla.com]:

Full Self Driving Feature

The currently enabled features require active driver supervision and do not make the vehicle autonomous. The activation and use of these features are dependent on achieving reliability far in excess of human drivers as demonstrated by billions of miles of experience, as well as regulatory approval, which may take longer in some jurisdictions. As these self-driving features evolve, your car will be continuously upgraded through over-the-air software updates.

Re:

[psergiu]

The code for the autopilot can be updated. Last year my M3 gained ability to recognize & display other objects on the road besides cars and to read and act upon stop signs and lights and speed limit signs (autopilot speed changes automatically). Also there are all the people getting the new FSD beta code which uses the AI chips in the current-gen hardware.

You CAN turn off mobile connectivity and wifi and the car will not transmit or receive anything. But then you will lose traffic-aware routing and all

Re:

[im_thatoneguy]

The computer and code for the autopilot don't receive updates that way. You only get a new version of that when you buy a Tesla vehicle with a newer generation of it installed. (They had AP 2.0, 2.5 and 3.0 so far, plus the Intel Mobileye tech they licensed initially, which many refer to as AP1.)

HW3 vs HW2 is a hardware change. But firmware, the code that controls subsystems is updateable over the air. They update it pretty frequently. That's one of the big advantages of Tesla being vertically integrated. They can add a new revision to the LTE modem and then push out updates over the air to fix a bug for instance using too much power.

The challenge that legacy automakers face is that every component in the car comes from a vendor as a complete package. So if you want your LTE modem firmware updat

re: AP and software

[King_TJ]

Well, ok.... I do stand corrected in a sense, here. The crux of the issue is, you've got a lot of computerized systems interacting in something like a Tesla.

If you're talking about older Teslas with AP1 autopilot? The entire system was a different code-base because they licensed it from Intel. They haven't made any software changes/updates to that since around 2014-15. (Not sure they even legally could?)

With the newer stuff, yeah - they can update firmware whenever they wish. A lot of the limitations in t

My ass only!

[AndyKron]

I don't want my car connected to anything except me ass.

Re:

[rogoshen1]

and hopefully the road, depending on your driving style.

Re:

[AmazingRuss]

If you haven't had at least 3 wheels off the ground, you haven't been driving.

Re:

[DontBeAMoran]

"I don't want my car connected to anything except my ass." - Red Forman

Re:

[istartedi]

This could be just the thing you're looking for [fandom.com]

Re:

[Tablizer]

Okay, but your head is in the way

No

[OverlordQ]

He found people running a 3rd party app with default credentials.

Request for a Grammar Nazi

[bussdriver]

"It's the owner's faults."
What is the proper form?
Owners' is for group ownership right and the group owns the fault, right?

Re:

[account_deleted]

Comment removed based on user account deletion

Aaand on other news....

[atol]

Query to Oracle whether LOG4J was used internally for Java JVE/Java SDK by Oracle and could the whole ecosystem be compromised brought NO ANSWER AS OF TODAY.

Knight Rider

[Tablizer]

but Kitt's gone to the Dark Side

Call me cynical but ...

[garett_spencley]

I would consider this to be a vulnerability. The fact that the cars can be remotely controlled in the first place, and that critical systems are not air-gapped is a fundamental security design flaw.

I don't want my car talking to the Internet. I'm not even sure that I want the radio talking the Internet due to privacy implications (this rules out a GPS too obviously, and even having a smart phone in the vehicle), but I can at least see the value there.

But anything that has to do with the operation of the veh

Cellular?

[kackle]

Can some enlighten me about the (Internet) connectivity of any of today's cars? I can see an owner giving his car his Wi-Fi password, but in cases of cellular connectivity, who pays that bill? And are the data transfers through standard Internet sockets? If they're secure, are there certificates involved that expire in ten years, etc.?

Thank you in advance.