International Cyber Expo International Cyber Expo
  • About Us
Thursday, 9 July, 2026
IT Security Guru
International Cyber Expo
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

A 19 year old security researcher was able to hack 25+ Teslas. Here’s what happened

by The Gurus
January 28, 2022
in Editor's News
Share on FacebookShare on Twitter

A 19-year-old security researcher named David Colombo detailed  how he was able to remotely unlock the doors, open the windows, blast music, and start keyless driving for dozens of Teslas, WIRED reported. The vulnerabilities he exploited to do so aren’t in Tesla software itself, but in a third-party app.

Salt Security‘s Michael Isbitsky, technical evangelist, explains what happened:

The incident originated from a vulnerable open-source application, TeslaMate. The app enables Tesla owners to gather and report on data from their vehicles with visualizations. TeslaMate uses Grafana under the hood, which is a common open-source dashboard tool and data visualization engine. TeslaMate connects to Tesla services via APIs to gather data about a vehicle including driving routes and car location. The API also provides some interactivity with the physical vehicle such as unlocking doors and windows, start keyless driving, and honk the horn. The Tesla API uses API keys as a primary means of authentication, and the TeslaMate application stored these API keys within the Grafana instance insecurely.

TeslaMate originally allowed unauthenticated guest access by default but fixed the issue in a recent release. A container image of TeslaMate was also distributed with an insecure default configuration for the Grafana datastore, which used an easily guessable administrator account name and password. The app package now requires users that install TeslaMate to select a new username and password upon first login. Unfortunately, prior installations of TeslaMate were exposed on the Internet where an attacker could discover them with network scanners and exploit them. Any user or Tesla owner that installed this packaged version of TeslaMate and kept the defaults was vulnerable.

Tesla responded by quickly revoking the affected API keys, which numbered in the thousands. Tesla and the security researcher did make clear that responsibility for the security problem ultimately lies with TeslaMate, which the developers were quick to remedy. It could also be argued though that Tesla should be doing more for API access control than relying solely on API keys. This is a problem we see commonly at Salt Security and cover in our API security best practices.

Reliance on API keys as a sole means of authentication, use of insecure defaults, and leaving anonymous access enabled all diminish API security. The incident also reiterates that dependencies matter. An organization’s security concerns don’t begin and end with the APIs it builds or integrates. Practitioners must also consider how third parties including developers, partners, and suppliers will use the organization’s APIs. Digital supply chains can often include ineffective or insecure API integrations with third-party services. This incident is a prime example of that reality, which effectively diminished the security of Tesla vehicles for some owners.

ShareTweet
Previous Post

Malware source code discovered on GitHub puts millions of IoT devices at risk

Next Post

White House: Industrial Control Systems Cybersecurity Initiative to be extended to the water sector

Recent News

hand typing on keyboard

CitrixBleed 2 exploited in repeatable attack chain culminating in DragonForce ransomware, researchers find

July 9, 2026
malware

Huntress Uncovers ‘Vibe-Coded’ Malware Used to Map Active Directory Environments

July 8, 2026
Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

Check Point’s ThreatCloud AI Blocked 4.6 Billion Attacks in 2025, Latest ESG Report Reveals

July 8, 2026
Kirsty Fowler, WorkNest Secure

Next Gen Spotlights: Building a More Resilient Future – Q&A with WorkNest Secure

July 8, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2026 IT Security Guru - Website Managed by Dessol