Cyber Security

30+ Tesla Cars Hacked Using Third-Party Software

A security researcher identified a vulnerability in TeslaLogger, a third-party software used to collect data from Tesla vehicles, that leveraged insecure default settings that could be exploited to gain unauthorized access to TeslaLogger instances. 

Reported the issue to the TeslaLogger maintainer, who took steps to mitigate the risk, as it is important to note that this vulnerability does not reside within Tesla vehicles or Tesla’s infrastructure. 

Vulnerabilities have been identified in TeslaLogger, an open-source data logger for Tesla cars, while searching for interesting automotive projects. 

After installing it on the laptop using Docker, the researcher employed nmap to identify running services in the MariaDB database (port 3306), the Graphana visualization tool (port 3000), and an admin panel (port 8888). 

Nmap result

Intrigued by MariaDB and Graphana, he leveraged DBweaver to connect to the database using default credentials found in the project repository, and with the hopes of extracting the Tesla car API key, executed a SQL query to retrieve all data from the ‘cars’ table. 

A vulnerability exists in Tesla integrations that utilize the Tesla API, as compromised Tesla tokens, including access tokens and refresh tokens, grant attackers full remote control over a car. 

Database

While Tesla’s API employs Role-Based Access Control (RBAC), Tesla logger applications often request excessive permissions, allowing attackers to exploit the API key to manipulate the car’s state (e.g., adding drivers, unlocking doors, controlling climate). 

Free On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free

This issue persists even if the database is not exposed, as alternative methods for obtaining API keys exist. Certain Tesla logger implementations on Raspberry Pi devices further exacerbate the problem by negligently exposing the API key. 

required permission to run properly

Harish SG discovered a vulnerable Grafana dashboard with default credentials, allowing access to Tesla API tokens. TeslaLogger, a third-party software used for Tesla data logging, was vulnerable due to storing credentials in plain text and insecure default configurations. 

By exploiting these weaknesses, identified over 30 TeslaLogger instances susceptible to remote attacks, potentially granting control of Tesla vehicles, and responsibly reported the findings to the TeslaLogger developer after discovering their contact information. 

public internet censys

Disclosed a vulnerability in TeslaLogger, a third-party software for Tesla cars, that could have allowed attackers to steal Tesla API credentials if they compromised the TeslaLogger database. 

Findings

He worked with the TeslaLogger maintainer to fix the issue, which involved encrypting the API credentials in the database and adding authentication to the admin pane, as he did not report the issue directly to Tesla because of an unhelpful response they received from Tesla in the past regarding a similar issue with another third-party software. 

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Kaaviya Ragupathy

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Bondnet Using High-Performance Bots For C2 Server

Threat actors abuse high-performance bots to carry out large-scale automated attacks efficiently. These bots can…

2 hours ago

Discord-Based Malware Attacking Orgs Linux Systems In India

Linux systems are deployed mostly in servers, in the cloud, and in environments that are…

3 hours ago

New Moonstone Sleet North Korean Actor Deploying Malicious Open Source Packages

In December 2023, we reported on how North Korean threat actors, particularly Jade Sleet, have…

5 hours ago

Life360 Breach: Hackers Accessed the Tile Customer Support Platform

Life360, a company known for its family safety services, recently fell victim to a criminal…

7 hours ago

Microsoft Delays Release of Controversial Windows AI Recall Tool Amid Privacy Concerns

Microsoft has announced that it will delay the broad release of its AI-powered Recall feature…

11 hours ago

SmokeLoader – A Modular Malware With Range Of Capabilities

Hackers misuse malware for diverse illicit intentions, including data theft, disrupting systems, espionage, or distortion…

1 day ago