The safety of intelligent networked vehicles has always been a concern.
Not long ago, the owner saw a report that a 19-year-old "hacker" cracked 25 Teslas in a row: remotely controlled doors and windows, lights, music, and could drive away directly.
It's scary to think about, but fortunately, Tesla has launched a patch to fix it after receiving the report.
Share the beginning and end of this cracking incident
David Colombo, a 19-year-old German boy working on cybersecurity, recently made a big discovery.
During a security review for a French company, he noticed that a software program in the company's network leaked all the data of the Tesla driven by the company's CTO, including the car's driving record and precise location at the time.
But that wasn't all, as the investigation deepened, Colombo realized that he could push instructions to Tesla who used the program. This allowed him to hijack some of the car's features, including opening and closing doors/windows, turning up music, playing videos, turning on keyless driving, and disabling security features. However, he could not control the car's steering, braking, and other operations.
Colombo's discovery sparked a lively discussion on Twitter. In today's ubiquitous Internet of Things devices, cybersecurity issues affect everyone's nerves.
On a Jan. 11 tweet, Colombo said he could already push instructions to at least 25 cars in 13 countries. Subsequent analysis shows that this number can be expanded to hundreds of vehicles.
It's worth noting that these flaws don't exist in Tesla's cars or Tesla's network, but in an open-source software that can collect and analyze data from its own cars.
After discovering these issues, Colombo contacted Tesla's security team. He provided the team with screenshots and other documents explaining his findings in detail and identifying the makers of the affected third-party software, but did not release the details to the media. The team immediately began an investigation. A spokesman for the National Highway Traffic Safety Administration also said it had been in touch with Tesla on the matter and that the agency's cybersecurity technology team would assist in assessing and reviewing the information.
Since Colombo didn't provide details of the software, Twitter users are making their own guesses. For example, many people associate the expiration of thousands of Tesla certification tokens with this event.
But Tesla explained that the vulnerability reported by Colombo involved another platform. Because the platform uses V2 Tesla tokens, which are all expired, no TezLab user is at risk because of the vulnerability described in David's post.
Teslascope founder Tyler Corsair also clarified on Twitter: "The users Colombo mentioned used an open source project called Teslamate and then misconfigured it (in part because the developer set the wrong default configuration), so anyone can access it remotely." After receiving the report, they have launched a patch.
He started programming at the age of 10 and started a company at the age of 15
Specializing in cybersecurity, Colombo claims to have "written the first piece of code at the age of 10" and that his company's goal is to "help protect every business from evolving threat actors in cyberspace."
His mother, who developed breast cancer when he was 13 years old and died the following year, chose to further immerse himself in programming to distract himself.
Tired of the rhythm of school, he and his father successfully applied for a special approval when he was 15 years old, allowing him to go to school only two days a week, and the rest of the time was spent expanding his cybersecurity skills and founding a consulting firm called Colombo Technology.
"I had to learn Latin and literary analysis, and then I was thinking, why? I can focus on the security aspect of something to protect the company," he said, adding that he thought the school was "a waste of time."
Colombo said he is involved in several "bug bounty" programs, with some companies offering bounties to independent security researchers for programs that find weaknesses in their products and consulting with companies that help them assess security.
How vulnerable are connected cars?
Of course, this is not the first time cybersecurity personnel have disclosed potentially serious security vulnerabilities involving connected cars. In 2015, two security researchers disclosed an attack in which a wired reporter remotely took control of a Jeep Cherokee and shut down its engine while driving the car at 70 miles per hour on a U.S. highway. The automaker recalled 1.4 million cars and trucks due to flaws in the internet-connected infotainment system, the first car recall triggered by a cybersecurity concern.
Since then, researchers have begun to disclose many of the other hacking risks they have identified, increasingly coming from the cars' complex electronics.
Shortly after the Jeep hack came to light, another group of researchers revealed software flaws in the Tesla Model S that could allow hackers to shut down the engine of a moving car. After the researchers coordinated with Tesla, the latter released a software fix.
In 2020, the Autopilot of the Tesla Model X was hacked several times. In one case, researchers at Ben Gurion University in Israel tricked cars into accidentally braking or steering in the wrong direction by flashing "phantom" images on roads, walls, or signs.
A few months later, Lennert Wouters, a researcher at the University of Leuven in Belgium, "stole" a Tesla Model X in 90 seconds.
At last fall's 2021 World New Energy Vehicle Congress, Musk promised that he would work with regulators to ensure that the personal data of EV owners is protected from hackers.
"With the rapid development of autonomous driving technology, the data security of vehicles is receiving more public attention than ever before," Musk said. By 2025, an estimated 470 million cars will be connected to computerized databases, making them mature targets for cybercriminals.
Colombo said he contacted three Tesla owners in Germany, the United States and Ireland before disclosing his findings. He showed a screenshot of a private conversation on Twitter in which one of the affected owners allowed him to remotely honk the car horn to confirm the vulnerability.
After failing to find the contact information of Tesla owners whose other data was compromised, he decided to publish his findings.
"I want to remind the owner, that's what it was," he said. "Because if I don't, maybe malicious people will find out about those system vulnerabilities and do something badly." Imagine someone who can control your Tesla, open the door, and drive around."
Transferred from | Heart of the Machine Reference Link: https://cacm.acm.org/news/257853-teen-cyber-prodigy-stumbled-onto-flaw-letting-him-hijack-teslas/fulltext
-END-
The owner benefits are here again!
Book prizes are sent by lottery
Limited edition of 3 copies
《Original Universe》
Scratch the point!
▼Lottery on the code▼
Participation is free
3.9 Draw on time at 12:00
Would love to have it right away
Search for the title of the book on JD.com, and subtract 50~ from 100