Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Sunday January 16 2022, @12:59AM   Printer-friendly
from the going-soon-from-outside-a-house-near-you dept.

Teen hacker finds bug that lets him control 25+ Teslas remotely:

A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday.

David Colombo explained in the thread that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owner's faults." He claimed to be able to disable a car's remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car's exact location.

However, Colombo clarified that he could not actually interact with any of the Teslas' steering, throttle, or brakes, so at least we don't have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by Snotnose on Sunday January 16 2022, @01:18AM (4 children)

    by Snotnose (1623) on Sunday January 16 2022, @01:18AM (#1213043)

    Is a script kiddie an IT researcher? What if s/he tweaks a line or three of a script, does that make them an IT researcher?

    I have trouble believing a teenager, especially an American teen, can qualify as an IT researcher. Don't get me wrong, s/he could be the second coming of Elon Musk. But I doubt it.

    For some background, back in the (300 baud) day I used to disassemble code on my TRS-80, and hang out on BBS systems. One day I got a message to call a certain phone number. I did. I was in the Montgomery Ward ordering system. No login, no password, if you knew that number you were in. I ordered myself a top of the line refrigerator, then cancelled it when they wanted a delivery address. I hung up then because A) I couldn't believe they were that naive; and B) I was renting an apartment and had nowhere to put a top of the line fridge.

    Did that make me an IT researcher? Aww hell no. The IT researcher in me was spending 8 hours disassembling game code to save me 1 hour of actually playing the damned game. That taught me more z-80 assembly than any number of books would have.

    Could I have ordered a complete living room and bedroom set of furniture, along with a TV, and gotten away with it? 90% sure now that I look back on it, but even 10% chance of no would have noped me right out. Which it did.

    --
    Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
    • (Score: 0, Insightful) by Anonymous Coward on Sunday January 16 2022, @05:13AM

      by Anonymous Coward on Sunday January 16 2022, @05:13AM (#1213078)

      This kid is obviously brilliant and you are so resentful it's sad. You try to punch down the super genius kid, that is getting more attention than you because of his accomplishments, but fail epically.

      This prodigy hacked Elon Musks cars! I can tell from your post that you wish you were an IT professional, so that really makes you especially even more jealous because he's a famous IT researcher.

      Fine, be envious of gifted people like this teenager... but thanks to forward thinking security experts like this we can rest easier on the cyber-front.

    • (Score: 1, Informative) by Anonymous Coward on Sunday January 16 2022, @07:10AM

      by Anonymous Coward on Sunday January 16 2022, @07:10AM (#1213082)

      The script kiddie found the bug and the IT researchers didn't.

    • (Score: 2) by Muad'Dave on Sunday January 16 2022, @12:49PM

      by Muad'Dave (1413) on Sunday January 16 2022, @12:49PM (#1213112)

      > I used to disassemble code on my TRS-80 ... That taught me more z-80 assembly than any number of books would have.

      Your teen years sound an awful lot like mine. I didn't have money to buy games to disassemble, so I wrote my own _in machine code_ by hand-generating the opcodes and data and poking them into RAM via a basic program. My GOD it was fast compared to basic!

      I still enjoy programming microcontrollers in assembly to this day.

    • (Score: 0) by Anonymous Coward on Monday January 17 2022, @01:17PM

      by Anonymous Coward on Monday January 17 2022, @01:17PM (#1213379)

      > Is a script kiddie an IT researcher?
      At least as much as clowns that know only a subset of a group of DSLs and call themselves "full stack software engineers".

  • (Score: 0) by Anonymous Coward on Sunday January 16 2022, @01:29AM (3 children)

    by Anonymous Coward on Sunday January 16 2022, @01:29AM (#1213048)

    In-vehicle networks are almost completely insecure, because they all use the CAN bus, which has no security whatsoever. Even if the safety critical stuff isn't connected directly to it, it's always connected to something that is.

    And if you can unlock the doors and start the engine - well not literally the engine, in a Tesla - you can steal the car while looking completely innocent.

    • (Score: 3, Informative) by Snotnose on Sunday January 16 2022, @02:18AM (1 child)

      by Snotnose (1623) on Sunday January 16 2022, @02:18AM (#1213058)

      The CAN bus is a modified I2C bus, which is much too slow to deal with wireless connectivity.

      The conclusion being some upper layer that was responsible for 802.11x to CAN is responsible for security. And it dropped it's pants, not the CAN bus itself.

      To put it another way, if your "smart tv" is hacked, can you blame the remote?

      --
      Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
      • (Score: 4, Informative) by Anonymous Coward on Sunday January 16 2022, @03:41AM

        by Anonymous Coward on Sunday January 16 2022, @03:41AM (#1213070)

        Note that the summary says "in 13 countries". Telsas have an app that lets you control some features from your cellphone over the internet. It's a horrible idea, but everything is going that way these days, and luxury cars are no exception. As for this incident, isn't isn't even the car getting hacked but the control website. As per the Ars article, Tesla's fix was to revoke thousands of authentication tokens, no doubt either due to weak passwords or people posting their access tokens to the net. Yes, people do that. Yes, it's just as stupid as it sounds.

    • (Score: 4, Funny) by maxwell demon on Sunday January 16 2022, @07:08PM

      by maxwell demon (1608) on Sunday January 16 2022, @07:08PM (#1213203) Journal

      Just wait until the cars are fully self-driving. Then the hacker can just order your car to come to him.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  • (Score: 5, Informative) by Fnord666 on Sunday January 16 2022, @05:08AM (2 children)

    by Fnord666 (652) on Sunday January 16 2022, @05:08AM (#1213077) Homepage

    A Bloomberg article [bloomberg.com] has some additional details. It looks like there's a third party app that can interact with the Tesla.

    As far as the issue goes,

    The problem involves an insecure way the software stores sensitive information that’s needed to link the cars to the program, Colombo said. In the wrong hands, that information could be stolen and repurposed by hackers to send malicious commands to the cars, he said.

    I'm not sure how that translates into:

    Colombo states "it's the owners faults" he has managed to gain access to their cars.

    He has apparently disclosed the issue to both Tesla and the third party software vendor.

    Colombo said that he has been in touch with members of Tesla’s security team and the maker of the third-party software.

    but

    He[Colombo] asked that Bloomberg not publish specifics because the affected organization hasn’t yet published a fix.

    With regard to his qualifications,

    A self-described Tesla fan, Colombo said he started coding when he was 10 years old. Frustrated with high school coursework, his father helped him petition German authorities to let him go to school two days per week and spend the rest of his time expanding his cybersecurity skills. He also developed a company called Colombo Technology.

    Additional sources cited:
    PCMag [pcmag.com]
    Fortune [fortune.com]

    • (Score: 1, Insightful) by Anonymous Coward on Sunday January 16 2022, @10:39AM (1 child)

      by Anonymous Coward on Sunday January 16 2022, @10:39AM (#1213094)

      The only thing I'd like to know is how can I vote for this young genius for President? We need someone up with the Cyber.

      • (Score: 1, Funny) by Anonymous Coward on Sunday January 16 2022, @12:49PM

        by Anonymous Coward on Sunday January 16 2022, @12:49PM (#1213111)

        more likely to claim he was a global terrahaxor, and back him into a south american embassy for a few years before sending hime to a blacksite where Snotnose gets to quiz him on obscure trs80 assembly syntax into the wee small hours under harsh lighting.

(1)