A 19-year-old security researcher named David Colombo detailed how he was able to remotely unlock the doors, open the windows, blast music, and start keyless driving for dozens of Teslas, WIRED reported. The vulnerabilities he exploited to do so aren’t in Tesla software itself, but in a third-party app.
Salt Security‘s Michael Isbitsky, technical evangelist, explains what happened:
The incident originated from a vulnerable open-source application, TeslaMate. The app enables Tesla owners to gather and report on data from their vehicles with visualizations. TeslaMate uses Grafana under the hood, which is a common open-source dashboard tool and data visualization engine. TeslaMate connects to Tesla services via APIs to gather data about a vehicle including driving routes and car location. The API also provides some interactivity with the physical vehicle such as unlocking doors and windows, start keyless driving, and honk the horn. The Tesla API uses API keys as a primary means of authentication, and the TeslaMate application stored these API keys within the Grafana instance insecurely.
TeslaMate originally allowed unauthenticated guest access by default but fixed the issue in a recent release. A container image of TeslaMate was also distributed with an insecure default configuration for the Grafana datastore, which used an easily guessable administrator account name and password. The app package now requires users that install TeslaMate to select a new username and password upon first login. Unfortunately, prior installations of TeslaMate were exposed on the Internet where an attacker could discover them with network scanners and exploit them. Any user or Tesla owner that installed this packaged version of TeslaMate and kept the defaults was vulnerable.
Tesla responded by quickly revoking the affected API keys, which numbered in the thousands. Tesla and the security researcher did make clear that responsibility for the security problem ultimately lies with TeslaMate, which the developers were quick to remedy. It could also be argued though that Tesla should be doing more for API access control than relying solely on API keys. This is a problem we see commonly at Salt Security and cover in our API security best practices.
Reliance on API keys as a sole means of authentication, use of insecure defaults, and leaving anonymous access enabled all diminish API security. The incident also reiterates that dependencies matter. An organization’s security concerns don’t begin and end with the APIs it builds or integrates. Practitioners must also consider how third parties including developers, partners, and suppliers will use the organization’s APIs. Digital supply chains can often include ineffective or insecure API integrations with third-party services. This incident is a prime example of that reality, which effectively diminished the security of Tesla vehicles for some owners.