Reporting by XinZhiyuan
Edit: Good Sleepy La Yan Yuan Xie
The "25 Teslas Hacked" incident has a follow-up: the 19-year-old owner repeated in detail the causes and consequences of completing this move and the operation process on his personal blog. In addition, related software vulnerabilities have been successfully closed.
On January 11, a young 19-year-old hacker from Germany suddenly tweeted that he had successfully controlled more than 20 Teslas in 10 countries.
Subsequently, that number quickly increased to 13 countries and more than 25 Teslas.
In short, he can remotely get hacked Tesla cars to perform:
Unlock the doors
Open the car window
Start keyless driving
Share the video to Tesla
Adjust the air conditioning mode and temperature
Control the horn and lights
David Colombo said that while not having access to any steering, acceleration, braking and other driving movements, it is theoretically possible to turn on the summon mode through a loophole to make the vehicle move automatically.
Recently, he published on his personal blog how he did it, the technical operation process, the antecedents and consequences.
Let's first take a look at where the "hacked" Teslas have been.
A Tesla Model Y in California
A Tesla in Europe
A Tesla Model 3 in Belgium (most of the time)
A Tesla Model 3 in the UK (counting london without entering)
A Tesla Model Y in Florida
A Tesla Model Y in and around Kitchener, Canada
Colombo found more than 25 Teslas from 13 countries in a matter of hours. Including Germany, Belgium, Finland, Denmark, United Kingdom, United States, Canada, Italy, Ireland, France, Austria and Switzerland.
There are at least about 30 more from China, but Colombo is very cautious and does not attack these cars.
How vulnerabilities are discovered
The reason for the incident began last year, when Colombo was preparing to discuss a security audit with a SaaS client from Paris.
Then his curiosity was sparked.
Before the official meeting, he wanted to sneak a peek at the company's infrastructure, such as getting some basic information about what services and platforms they used.
Colombo thought that if he could soon find some outdated software or exposed backup databases, he could show them at the conference.
But apart from a normal "this works" page, nothing is running.
After a very simple nmap scan produced some results, only to find demoteanything and some "game server" ports.
Things seem strange.
Colombo tried to connect via telnet, but without success.
However, when you access it through a browser, you will find that these ports are actually pointing to the TeslaMate.
Now it looks a lot more interesting.
However, when trying to access Dashboard, only one error was given and it did not succeed.
But once again, curiosity came into play.
TeslaMate is a self-hosted data logger for Tesla, and it's open source.
Theoretically, it's only used to extract data and store and display, and can't run any commands, such as unlocking a car door with TeslaMate.
By looking at the Docker file, Colombo discovered that it also brought with it an installation of Grafana.
Port 5555, access a bit to try?
Sure enough, it did.
After entering, Colombo saw a lot of data, including the route of Tesla's path, the location of the charging, the current location, the usual parking position, the vehicle travel time, the speed of travel, the navigation request, the history of software updates, and even the weather history around tesla cars.
It really is... Not good.
Colombo said it clearly shouldn't have known from the port where the SaaS company's CTO went on vacation last year.
So, if TeslaMate is able to extract all of its vehicle data, it might also have a way to send commands to Tesla?
After generating this idea, Colombo took a moment to read TeslaMate's source code in order to figure out how authentication is done, how Tesla's certificates flow through the app, and where it stores users' API keys.
The result was somewhat unexpected, with TeslaMate keeping the API key in the same location as all the other data, neither stored separately nor encrypted.
So, if Grafana can access vehicle data and THE API key is stored on the vehicle data side, can Grafana read and output the API key?
Try running custom queries with Grafana Explore? But this requires certification, which is really helpless.
But have you ever heard of this distant cybersecurity issue called "default password"?
Yes, TeslaMate Docker's Grafana is installed with default credentials.
It is also possible to query the token as an unauthorized anonymous user without logging in through the Grava terminal.
Try logging in with admin:admin, and it works.
Build a query string for Grafana (Explore) and query the API token, and there's nothing magical after that.
Therefore, the default value initialized by the software with the default value is for the convenience of the administrator to change, and it is actually not safe.
Developers often choose the default value to make the software as open and easy to use as possible out of the box. However, this convenience comes at a cost when the default value is not secure and the administrator does not change it.
The process of getting a visit to random Teslas around the world:
Search the Internet for TeslaMate instances
Make sure they run in an unsafe default Docker configuration
Go to port 3000 and access the Grava Dashboard
Log in with default credentials (of course, this can only be done with explicit authorization)
Go to the Explorer tab
Use the query builder to extract the API and refresh the token
Have fun playing Tesla
In addition to login, with the blessing of the vulnerability, even if the owner changes the management password, he can still run arbitrary requests to the TeslaMate data source as an unauthorized anonymous Grava user through Grafana's API endpoint.
However, this only affects TeslaMate docker, and now the patch has been released, which is version 1.25.1.
So, what should be done if such a vulnerability is found?
You should report the vulnerability to the responsible team.
What if I can't find it?
Then clockwork Twitter~
Jokingly, Colombo said he sent the tweet only because he was frustrated.
After spending a whole day searching, only two Tesla owners could be contacted and informed.
Also, Colombo apologizes for all the confusion and speculation this tweet could have caused.
And then...... The tweet went viral.
In order to respect the privacy of the affected Tesla owners, the owner's identity information was deleted according to his request. In this article, the name of the affected Tesla was changed to "Big Blue".
Thanks to the tweet, Colombo found another Tesla owner from Ireland.
However, after the owner resets the Tesla account password several times, he has not been able to revoke the API token.
Fortunately, after 4 hours of unremitting efforts, the key was finally revoked through an undocumented API endpoint.
Contact Tesla
When Colombo found that there was no legal way to find other affected owners, it contacted Tesla's product security team. (On Twitter, there are netizens "supporting the move", playing a video of "you are hacked" on the Tesla car screen)
Tesla said it was investigating the issue and then undoing all affected and legacy tokens shortly after.
According to Tesla's security team, all affected users should have received email notifications as of January 13, 2022.
So if Tesla owners have ever installed TeslaMate, check your mailbox.
However, after the Tesla security team revoked the token for the second time, some Tesla access tokens remained publicly available on the Internet, possibly because users were logged into the vulnerable TeslaMate again.
Therefore, Colombo wrote a Python script to automatically revoke the exposed access token from the vulnerable instance.
The bad news is that the 3rd edition of tokens doesn't seem to have any way to undo it.
Publish vulnerabilities
Given that quite a few Tesla owners were affected, Colombo applied for the CVE number for the vulnerability.
CVE-2022–23126 Description:
"The default Docker configuration prior to TeslaMate 1.25.1 allows attackers to obtain victim-generated tokens, allowing them to perform unauthorized operations through Tesla's APIs, such as controlling certain key functions of the vehicle or leaking sensitive information."
It is important to understand that this is an open source project that evolves over time and such a thing is possible.
Here, Colombo also gives some suggestions:
Just don't connect important objects to the Internet. It's simple.
If you have to connect something to the Internet, make sure it's modified to the level of security settings, rather than running naked with the default settings, which may not be secure.
Full timeline
Here's a timeline of events recorded by David Colombo, all in Central European Time:
2021–10–29: First time hearing about this (first third-party case of influence found)
2021–10–29: Contact the owner
2021–11–01: Record a case
2022–01–09: Web-wide search for affected third-party cases
2022–01–10: More than 20 cases were found in 12 countries
2022–01–10: Trying to find the owner's identity
2022–01–10: I reported this to two Tesla owners I could find
2022–01–10: I sent a tweet because I can't confirm more Tesla owners
2022–01–10: This tweet is on fire
2022-01-10: Known cases increased to more than 25 in 13 countries
2022-01-10: I spoke with John Jackson, a well-known cybersecurity expert, who recommended that I get a CVE-ID so that it can be handled more effectively
2022-01-11: Go to MITRE to apply for a CVE-ID and provide some preliminary information
2022-01-11: A detailed record was prepared describing the whole situation
2022-01-11: Tesla's production safety group was contacted and asked to inform the affected owners as soon as possible
2022-01-11: Contacted a third-party maintenance staff and asked them to prepare a patch as soon as possible
2022-01-11: Share more information with tesla production safety groups about affected car owners
2022-01-11: MITRE approved my CVE-ID application. CVE-2022–23126 TO BE DETERMINED
2022-01-11: Tesla's Production Safety Group says they are investigating the cases
2022-01-12: Third-party maintainers release version 1.25.1 with a partial patch
2022-01-12: Tesla recalled thousands of potentially affected API tokens at 6:30 UTC and 7:30 CET
2022-01-12: Tesla forces some affected users to reset their passwords
2022-01-12: Waiting for further reply from Tesla's production safety group
2022-01-12: Developing more potential patches with third-party maintainers (encrypting critical access tokens)
2022-01-13: Tesla's production security group said they recalled all affected API tokens and informed all affected Tesla owners through email and push notifications
2022-01-13: Some previously affected Tesla owners are still affected
2022-01-18: Negotiate with Tesla again, waiting for further notice from Tesla's production safety group
2022-01-19: Tesla recalls another batch of access tokens
2022-01-10: Another vulnerability was found and reported, this time directly affecting Tesla's API
2022-01-22: Tesla acknowledged the new vulnerability and remediated it in production
2022-01-24: Publish this record publicly
Who is it?
According to David Colombo, 19, his family lives in Bavaria, Germany, a two-hour drive from Munich.
Colombo claims to have started writing code at the age of 10 and has since plunged into the world of cybersecurity. At the age of 15, he actually dropped out of school in the form of applying to the German Ministry of Commerce for a special permit to go to school only 2 days a week.
In fact, the school is not very willing to take care of him, after all, when he really goes to school, the school's information screen often fails for no reason.
David Colombo is now a small workshop owner with modern tools but classical forms: he has started a one-man workshop company called "Colombo Technology", taught himself programming skills, and recruited himself into the business of white hat hackers.
Customers include a variety of institutional entities from Red Bull to the U.S. Department of Defense that need to verify cybersecurity.
Resources:
https://medium.com/@david_colombo/how-i-got-access-to-25-teslas-around-the-world-by-accident-and-curiosity-8b9ef040a028