Teen hacker claims ability to control 25 Teslas worldwide

joeyvu · Jan 12, 2022

While waiting for my MY arrived, I went through this article. Trying to give a head up to anybody using third party apps. Be aware.

Here is the link: Hacker, 19, takes control of more than 20 Teslas through software flaw

jjrandorin · Jan 12, 2022

joeyvu said:
While waiting for my MY arrived, I went through this article. Trying to give a head up to anybody using third party apps. Be aware.

Here is the link: Hacker, 19, takes control of more than 20 Teslas through software flaw

Reading the article, this quote is extremely relevant:

========================

Tyler Corsair tweeted: ‘These owners utilized an open-source project called Teslamate and then configured it incorrectly (partially the dev's fault for setting bad default configurations) so that anyone could access it remotely.’

=======================

Teslamate is a SELF HOSTED tool, which means that these owners did this to themselves, 100%. I dont use third party tools myself, but this should not be painted as some sort of infrastructure flaw. This should be painted as a flaw in the owners themselves SELF HOSTING a solution they didnt know how to use.

Since the actual "own" is the owners of these cars owning themselves by self hosting a tool they did not configure properly, I believe this thread title should be changed as well. That will be up to a mod for this subforum.

Tam · Jan 12, 2022

joeyvu said:
...head up...

It's just like giving the physical key or password to a stranger.

It's not that there's a problem with the key or password. It's the problem that owners who give them to strangers.

RSpanner · Jan 13, 2022

My wife sent this to me, I have no idea if or how much of it a valid. Bigger brains would know.

Teen hacker claims ability to control 25 Teslas worldwide

A 19-year-old security researcher claims to have hacked remotely into more than 25 Tesla...

www.sfgate.com

HankLloydRight · Jan 13, 2022

I'm guessing he hacked some logins and weak passwords on accounts without 2FA. Not very groundbreaking.

thesmokingman · Jan 13, 2022

Slow news day huh?

but said it wasn't within Tesla's software or infrastructure

Tam · Jan 13, 2022

RSpanner said:
My wife sent this to me, I have no idea if or how much of it a valid. Bigger brains would know.

It's a problem of handing your user name and password to a third-party app. If you enter your user name and password into the Tesla app, Tesla honors your confidentiality. However, when you enter your name and password to a non-Tesla app, it's like giving your physical car key or ATM card with your password to a stranger. Anything can happen because they don't need to abide by Tesla's codes of conduct.

The best way to prevent this is to stop using apps that are not genuinely from Tesla.

Glen959 · Jan 14, 2022

Bloomberg - Are you a robot?

Anyone read about this? Glad to hear it's third party apps only. Be warned when using them. I had tried Tezlab for awhile but don't feel the need to pay a monthly fee for it.

thesmokingman · Jan 14, 2022

How is Tesla hacked??

Glen959 · Jan 14, 2022

well says the kid hacked into 15 or so Tesla cars.....lock and unlock doors, view the cameras......these things happen I guess

thesmokingman · Jan 14, 2022

Glen959 said:
well says the kid hacked into 15 or so Tesla cars.....lock and unlock doors, view the cameras......these things happen I guess

He hacked third party apps. You need to understand the technology at play and ppl giving out their account/pw to third party apps. The 3rd party app has access to the car cuz the owners gave them it.

jjrandorin · Jan 14, 2022

There is already at least one thread here on this, but no this is NOT "Third party apps". If you read the article you will see they specifically mention "Teslamate" which is a SELF HOSTED solution.

This means, these people did this to themselves by not setting it up properly, there is no "Tesla hack" although the media will run with this story (as evidence by at least 2 other threads popping up with "3rd party tesla hack" when its actually one SELF HOSTED app.

This is like Leaving a key in your front door, then being surprised if someone walks by later and turns the key and walks in.

EDIT, this comment was for the OP in the thread, not for @thesmokingman who posted their response while I was typing this one.

Tam · Jan 14, 2022

Glen959 said:
...third party apps only...

The article said:

"In an interview, Colombo provided screenshots and other documentation of his research that identified the maker of the software and gave details of the vulnerabilities. He asked that Bloomberg not publish specifics because the affected organization hasn’t yet published a fix."

And I think that's irresponsible to not warn which software that is so people can immediately stop using it rather than keeping it secret and allowing more people to sign on to that vulnerable software.

GtiMart · Jan 14, 2022

They are not saying because the software isn't patched yet. Knowing which could lead plenty of bad-intended hackers to abuse the hole before it's patched. Software security very often works that way, a fix is posted before the vulnerability it put out publicly. The public announcement is so people upgrade their software.
I haven't seen mention of teslamate in the article but it would be reassuring if it was that since there are not too many users.

jjrandorin · Jan 14, 2022

GtiMart said:
They are not saying because the software isn't patched yet. Knowing which could lead plenty of bad-intended hackers to abuse the hole before it's patched. Software security very often works that way, a fix is posted before the vulnerability it put out publicly. The public announcement is so people upgrade their software.
I haven't seen mention of teslamate in the article but it would be reassuring if it was that since there are not too many users.

The original thread I saw on this here is this one:

Teen hacker claims ability to control 25 Teslas worldwide

While waiting for my MY arrived, I went through this article. Trying to give a head up to anybody using third party apps. Be aware. Here is the link: Hacker, 19, takes control of more than 20 Teslas through software flaw

teslamotorsclub.com

(the thread title also said "Third party apps" before it was changed by a moderator. Its likely this thread ends up merged there as well)

The article it links to is here:

Hacker, 19, takes control of more than 20 Teslas through software flaw

David Colombo, 19, shared the warning on Twitter, saying the flaw was found in a third-party software that stores the Tesla owner's sensitive information. Tesla is looking into the matter.

www.dailymail.co.uk

When I read this originally, it looked like they were saying "its teslamate". Now I see that its speculation that its teslamate, but people think the researcher might be hyping this up more than necessary for follows.

jjgg · Jan 14, 2022

As far as I can see based on the information on the Internet, Tesla's API tokens do not have differentiation between read-only and full-control permissions. A token can allow someone to do everything the API offers with the car. If a user's intention of using 3rd party apps is to collect statistics (like the vast majority of Teslamate users), there is absolutely no need to allow those apps to control the car.

Tesla can be partly responsible in this case for not having finer grained access control on API tokens.

jjrandorin · Jan 14, 2022

jjgg said:
As far as I can see based on the information on the Internet, Tesla's API tokens do not have differentiation between read-only and full-control permissions. A token can allow someone to do everything the API offers with the car. If a user's intention of using 3rd party apps is to collect statistics (like the vast majority of Teslamate users), there is absolutely no need to allow those apps to control the car.

Tesla can be partly responsible in this case for not having finer grained access control on API tokens.

Most of those apps also offer control of the car, with some of them offering things that tesla does not (scheduling routines etc). I dont use them, as I am not interested in sharing my tesla token like that.

Sir Surfalot · Jan 14, 2022

https://twitter.com/x/status/1481252837174624258

Here is the commit to disable anonymous access to the dashboard in TeslaMate.

Disable anonymous login to Grafana · teslamate-org/teslamate@fff6915

A self-hosted data logger for your Tesla 🚘. Contribute to teslamate-org/teslamate development by creating an account on GitHub.

github.com

thesmokingman · Jan 14, 2022

^^

WTF, why is there even an anonymous login option??

jjgg · Jan 14, 2022

thesmokingman said:
^^

WTF, why is there even an anonymous login option??

The default docker installation of Teslamate is hopelessly insecure, even after they disable anonymous login to Grafana. The Postgres DB password is written in clear text in the docker-composer.yml file. The default login to Grafana is well known and I suspect that users seeking for the convenience of the docker installation method would not bother to change the default password. So your only defence to hacking is the assumption that your local network will never have malicious users.

Teen hacker claims ability to control 25 Teslas worldwide

Member

Moderator, Model 3 / Y, Tesla Energy Forums

Well-Known Member

Member

No Roads

Active Member

Well-Known Member

Member

Active Member

Member

Active Member

Moderator, Model 3 / Y, Tesla Energy Forums

Well-Known Member

Active Member

Moderator, Model 3 / Y, Tesla Energy Forums

Member

Moderator, Model 3 / Y, Tesla Energy Forums

2021 Model 3 Long Range (MiC)

Active Member

Member

Similar threads