How the heck did a 19 year old from Germany manage to be able to take over more than 25 Tesla’s around the world?

This is quite a story so buckle up and get in for a good read!

Important: This is not a vulnerability in Tesla’s infrastructure directly.

What am I even talking about?

In short: I was able to run remote commands such as “disable Sentry Mode”, “unlock the doors”, “open the windows” and even “start Keyless Driving”.

You see where this is going? Someone with malicious intent could even steal the car.

I, fortunately, did not have any access to the steering, accelerator & brakes and any other driving safety critical feature (although I might have been able to use the summon feature to get the car moving, but I cannot confirm if this would have been possible).

Nonetheless, there should be no way at all that someone could literally walk up to some Teslas they do not own and take them for a drive.

I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night.

I would prefer that not to happen.

Legal Disclaimer, before I proceed: This is all part of Security Research and I purely have good intent. As soon as I can confirm a vulnerability exists I immediately report it to the affected and involved parties. This writeup is part of responsible disclosure to the third-party maintainer and the Tesla Security Team.

Full Timeline

To get a quick overview of all important events. Detailed report below.

Timestamp Format (yyyy-mm-dd). All dates are in CET.

2021–10–29: First got aware of this issue (found the first affected third-party instance).

2021–10–29: Contacted the owner.

2021–11–01: Got the instance taken down.

2022–01–09: Searched internet-wide for affected third-party instances.

2022–01–10: Found more than 20+ in 12 countries.

2022–01–10: Tried to find owner-identifying information.

2022–01–10: Reported this to two Tesla owners I was able to find.

2022–01–10: Tweeted about it, because I was frustrated that I couldn’t identify more Tesla owners.

2022–01–10: The Tweet exploded.

2022–01–10: Number of found instances grew to 25+ in 13 countries.

2022–01–10: I talked to the renowned cyber security export John Jackson, who recommended I get a CVE-ID assigned for this, so the issue can be handled more efficiently.

2022–01–11: Requested a CVE-ID from MITRE. Providing preliminary information.

2022–01–11: Prepared this detailed writeup to describe the full situation.

2022–01–11: Contacted the Tesla Product Security Team to get the affected owners notified asap.

2022–01–11: Contacted the third-party maintainer to possibly get a patch ready.

2022–01–11: Shared additional information regarding affected owners with the Tesla Product Security Team.

2022–01–11: MITRE granted the CVE-ID request. CVE-2022–23126 pending.

2022–01–11: The Tesla Product Security Team confirmed they are investigating the case.

2022–01–12: The third-party maintainers released version 1.25.1 with a partial fix.

2022–01–12: Tesla revoked thousands of potentially affected API tokens at 6:30 UTC / 7:30 CET.

2022–01–12: Tesla actively forced some affected users to reset their passwords.

2022–01–12: Waiting on further response from the Tesla Product Security Team.

2022–01–12: Worked with the third-party maintainer to explore potential further patches (encrypting the critical access tokens).

2022–01–13: The Telsa Security Team confirmed they revoked all affected API access tokens and all the affected Tesla owners have been notified by email and push notification.

2022–01–13: Some of the previous affected Tesla owners still seem to be affected.

2022–01–18: In contact with Tesla again, waiting on clarification from the Tesla Security Team.

2022–01–19: Tesla revoked another batch of access tokens.

2022–01–19: Discovered and reported an additional vulnerability, this time affecting Teslas API directly.

2022–01–22: Tesla confirmed the additional vulnerability and rolled out a fix into production.

2022–01–24: Public Release of this Writeup.

2022–01–24: Provided all information to MITRE / the CVE assignment team.

2022–01–24: CVE-2022–23126 published.

But now: Who even am I?

I’ll keep it short, I promise.

So, I’m David Colombo, 19 years and from the beautiful state of Bavaria in Germany (to be a bit more exact, around 2 hours from Munich).

I started coding back when I was around 10 and then somehow dived into cyber security (my school wasn’t very happy when their info screens didn’t display school information anymore).

With 15 I basically dropped out of school (with special permission from the German chamber of commerce to only go to school 2 days a week) to educate myself even more in that area and start a company with the goal to improve the current cyber security landscape. The company is now known as Colombo Technology, providing Security Audits, Penetration Tests & Cyber Security Consulting among other services.

Since then I’ve found various security vulnerabilities at e.g. RedBull, the U.S. Department of Defense and numerous more organizations under NDAs.

Now, what’s the issue with the Tesla’s? The fun part.

When did I get aware of this for the first time?

That’s the fun background story about how I initially got aware of this issue. Feel free to skip this, the more recent events are further below.

It started last year actually. I was about to get in contact with a client for my company regarding a Security Audit. A pretty cool SaaS company from Paris.

And then, you know how it is, curiosity kicked in. I already wanted to take a peek look at their infrastructure to get some basic information about what services and platforms they use, I didn’t even start a full fledged Security Audit yet. Maybe, I thought, I’d even very quickly find some outdated software or exposed backup database that I could show them in the next meeting. Oh boi, was I wrong. It was about to get much better.

When doing some basic subdomain enumeration, I found a backup.redacted.com domain. Looks interesting, right?

But there wasn’t anything running besides a plain “this works” page.

The end.

Hm, really? I mean I wouldn’t be good at my job, if I stopped right there. The exposed database would likely not run on the web ports either way.

A very light nmap scan produced some results, but did only find remoteanything and some “game server” ports. Strange enough.

Connecting via telnet didn’t work.

But… simply accessing those ports now in the browser brought up something interesting.

Let me introduce you to TeslaMate:

This already looked a lot more interesting now.

But trying to access the Dashboards or anything didn’t work.

So I thought yeah, this is nice, I can see where this Tesla is parked. Let’s go and report this.