Bermuda Post

Sunday, Mar 26, 2023

Teen's Tesla hack shows how vulnerable third-party apps may make cars

Teen's Tesla hack shows how vulnerable third-party apps may make cars

A German teenager says he found a vulnerability in an app installed in some Teslas, which allowed him the ability to unlock doors, flash headlights and blast music. The hack highlights the relative lack of oversight in apps that some drivers can download to their cars.

David Colombo identified a vulnerability in TeslaMate, a third-party app that some Tesla owners use to analyze data from their vehicle. He was able to access 25 Teslas that use the app, and he did not have access to steering, braking or acceleration, which could be especially dangerous.

The exploit did unlock a litany of potential unwelcome possibilities for drivers, the hacker said.

"Imagine music blasts at max volume and every time you want to turn it of [sic] it just starts again or imagine every time you unlock your doors they just lock again," Colombo, the 19-year-old behind the hack, wrote in a Medium post detailing the hack. Colombo said that he could even track the location of Tesla vehicles as their owners went about their day.

Colombo told CNN Business that he immediately reported the vulnerability that enabled the hack to involved parties, including Tesla. Colombo leads a cybersecurity company, and it is not uncommon for security researchers to seek out software vulnerabilities for potential compensation. Tesla offers cash incentives to people who report flaws in its software, but Colombo said he wasn't paid as the vulnerability was in a third-party app, not Tesla infrastructure.

(TeslaMate and Tesla did not respond to a request for comment.)

Cars, including Teslas, have been hacked before. But cybersecurity experts believe this is the first time a vehicle has been hacked through an app that has been granted access direct access to some vehicle controls and data. TeslaMate software is installed on a computer that is not the vehicle, and then accesses the vehicle through its interface for apps. Apps can delight drivers with services their car wouldn't otherwise have, as well as create new revenue for automakers through app-related fees.

But cybersecurity experts caution that the auto industry must mature, as there are growing risks as in-car apps become increasingly common in the years ahead.

"[Automakers] need to think about self-defending cars before self-driving cars," Srinivas Kumar, a vice president at the cybersecurity company DigiCert who leads efforts to protect connected devices, told CNN Business. "If a car can't defend itself from an attack, do you trust it to be self-driving?"

Colombo said that preventing future hacks will require collaboration between automakers, app makers and car owners.

One way to prevent a hack of this nature, he said, would be if Tesla more thoroughly restricted apps' access to data and commands. For example, an app could be restricted to only be able to view data, such as whether the doors are locked, but not be able to unlock them.

"In a perfect world those apps in an app store that you could download to your Tesla wouldn't have access to anything critical," Colombo said.

Third-party apps are increasingly becoming available in new cars. Some newer models offer a limited range of apps on their infotainment system. Some Cadillac drivers can download Spotify, NPR and the Weather Channel, for instance. Newer Ford models offer apps like Waze, Domino's and Pandora.

Tesla has not officially launched a way for app creators to add apps to its vehicles. But tech savvy Tesla enthusiasts have written about how to do so.

Moshe Shlisel, the CEO of Israeli cybersecurity company GuardKnox, said that automakers should scrutinize apps that end up on their vehicles to ensure safety. GuardKnox is developing a way for cars to monitor their apps and shut them down if they're doing something wrong, such as communicating to an off-limits part of the vehicle.

"It's a wake-up call to the entire industry," Shlisel said of Colombo's hack.

He expects that cars in the future will have hundreds of thousands of apps to choose from.

General Motors reviews apps and scans them for vulnerabilities, according to spokesman Darryll Harrison. Ford, which also allows a limited set of apps on some vehicles, declined to comment for this story.

But screening apps displayed on infotainment systems won't stop a person with sophisticated technical abilities from running an app on a vehicle independent of the automaker's approval. This could be done through a USB connection or an over-the-air vulnerability as occurred in the Tesla hack, according to cybersecurity experts.

The National Highway Traffic Safety Administration released best practices for cybersecurity in 2016, but it hasn't created standards for apps installed in vehicles. Neither has the auto industry.

"Right now it's open season," Shlisel said.


Related Articles

Bermuda Post
In a dramatic U-turn against His Government: Judicial Overhaul Legislation Must Be Halted, Says Israeli Defense Minister Yoav Gallant
Powell: Silicon Valley Bank was an 'outlier'
Donald Trump arrested – Twitter goes wild with doctored pictures
NYPD is setting up barricades outside Manhattan Criminal Court ahead of Trump arrest.
Credit Suisse's Scandalous History Resulted in an Obvious Collapse - It's time for regulators who fail to do their job to be held accountable and serve as an example by being behind bars.
Home Secretary Suella Braverman tours potential migrant housing in Rwanda as asylum deal remains mired in legal challenges
Paris Rioting vs Macron anti democratic law
'Sexual Fantasy' Assignment At US School Outrages Parents
Credit Suisse to borrow $54 billion from Swiss central bank
Russian Hackers Preparing New Cyber Assault Against Ukraine
Jeremy Hunt insists his Budget will get young parents and over-50s back into work
If this was in Tehran, Moscow or Hong Kong
Nashville police officer, and a female driver shooting one another
TRUMP: "Standing before you today, I am the only candidate who can make this promise: I will prevent World War III."
Mexican President Claims Mexico is Safer than the U.S.
A brief banking situation report
Lady bites police officer and gets instantly reaction
We are witnessing widespread bank fails and the president just gave a 5 min speech then walked off camera.
Donald Trump's asked by Tucker Carlson question on if the U.S. should support regime change in Russia?.
'No relation to the American SVB': India's SVC Bank acts to calm depositors amid brand name confusion.
Good news: The U.S. government is now guaranteeing all deposits, held by, Silicon Valley Bank, and the funds are available as of today
Silicon Valley Bank exec was Lehman Brothers CFO
In a potential last-ditch effort, HSBC is considering a rescue deal to save Silicon Valley Bank UK from insolvency
BBC Director General, Tim Davie, has apologized, but not resigned, yet, following the disruption of sports programmes over the weekend
Elon Musk Is Planning To Build A Town In Texas For His Employees
The Silicon Valley Bank’s collapse effect is spreading around the world, affecting startup companies across the globe
City officials in Berlin announced on Thursday that all swimmers at public pools will soon be allowed to swim topless
Fitness scam
Market Chaos as USDC Loses Peg to USD after $3.3 Billion Reserves Held by Silicon Valley Bank Closed.
A primitive judge in Australia sparked outrage when he told a breastfeeding woman to leave his courtroom for being “a distraction"
Barcelona is feeling the heat as they face corruption charges over payments to former vice-president of Spain's referees' committee, Jose Maria Enriquez Negreira
Senator Tom Cotton: If the Mexican Government Won’t Stop Cartels from Killing Americans, Then U.S. Government Should
Banking regulators close SVB, the largest bank failure since the financial crisis
The unelected UK Prime Minister Rishi Sunak, an immigrant himself, defends new controversial crackdown on illegal migration
Old clip of Bill Gates saying Ukraine is a big, fat, corrupt sinkhole is going viral
Man’s penis amputated by mistake after he’s wrongly diagnosed with a tumour
In a major snub to Downing Street's Silicon Valley dreams, UK chip giant Arm has dealt a serious blow to the government's economic strategy by opting for a US listing
How do stolen goods end up on Amazon, eBay and Facebook Marketplace?
It's the question on everyone's lips: could a four-day workweek be the future of employment?
Is Gold the Ultimate Safe Haven Asset in Times of Uncertainty?
Spain officials quit over trains that were too wide for tunnels...
Don Lemon, a CNN anchor, has provided a list of five areas that he believes the black community needs to address.
Hello. Here is our news digest from London.
Corruption and Influence Buying Uncovered in International Mainstream Media: Investigation Reveals Growing Disinformation Mercenaries
Givenchy Store in New York Robbed of $50,000 in Merchandise
European MP Clare Daly condemns US attack on Nord Stream
Former U.S. President Carter will spend his remaining time at home and receive hospice care instead of medication
Tucker Carlson called Trump a 'demonic force'
US Joins 15 NATO Nations in Largest Space Data Collection Initiative in History
White House: No ETs over the United States