Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 16 May, 2022
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

A 19 year old security researcher was able to hack 25+ Teslas. Here’s what happened

by The Gurus
January 28, 2022
in Editor's News
Share on FacebookShare on Twitter

A 19-year-old security researcher named David Colombo detailed  how he was able to remotely unlock the doors, open the windows, blast music, and start keyless driving for dozens of Teslas, WIRED reported. The vulnerabilities he exploited to do so aren’t in Tesla software itself, but in a third-party app.

Salt Security‘s Michael Isbitsky, technical evangelist, explains what happened:

The incident originated from a vulnerable open-source application, TeslaMate. The app enables Tesla owners to gather and report on data from their vehicles with visualizations. TeslaMate uses Grafana under the hood, which is a common open-source dashboard tool and data visualization engine. TeslaMate connects to Tesla services via APIs to gather data about a vehicle including driving routes and car location. The API also provides some interactivity with the physical vehicle such as unlocking doors and windows, start keyless driving, and honk the horn. The Tesla API uses API keys as a primary means of authentication, and the TeslaMate application stored these API keys within the Grafana instance insecurely.

TeslaMate originally allowed unauthenticated guest access by default but fixed the issue in a recent release. A container image of TeslaMate was also distributed with an insecure default configuration for the Grafana datastore, which used an easily guessable administrator account name and password. The app package now requires users that install TeslaMate to select a new username and password upon first login. Unfortunately, prior installations of TeslaMate were exposed on the Internet where an attacker could discover them with network scanners and exploit them. Any user or Tesla owner that installed this packaged version of TeslaMate and kept the defaults was vulnerable.

Tesla responded by quickly revoking the affected API keys, which numbered in the thousands. Tesla and the security researcher did make clear that responsibility for the security problem ultimately lies with TeslaMate, which the developers were quick to remedy. It could also be argued though that Tesla should be doing more for API access control than relying solely on API keys. This is a problem we see commonly at Salt Security and cover in our API security best practices.

Reliance on API keys as a sole means of authentication, use of insecure defaults, and leaving anonymous access enabled all diminish API security. The incident also reiterates that dependencies matter. An organization’s security concerns don’t begin and end with the APIs it builds or integrates. Practitioners must also consider how third parties including developers, partners, and suppliers will use the organization’s APIs. Digital supply chains can often include ineffective or insecure API integrations with third-party services. This incident is a prime example of that reality, which effectively diminished the security of Tesla vehicles for some owners.

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Malware source code discovered on GitHub puts millions of IoT devices at risk

Next Post

White House: Industrial Control Systems Cybersecurity Initiative to be extended to the water sector

Recent News

man looking sad

Security pros say their mental health has declined

May 13, 2022
@ symbol

NCSC launches free email security check

May 12, 2022
warning colours

Five Eyes urges organisations to secure supply chains

May 12, 2022
industrial lab

CNI firms see cyberattack surge

May 11, 2022

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2021
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information