The downside with offering APIs to interact with a car is that someone else’s security problem might become your own.
A young hacker and computer security researcher has found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday.
David Colombo explained in the thread that the flaw «wasn’t a vulnerability in Tesla’s infrastructure. It’s the owner’s fault.» He claimed to be able to remotely disable a car’s camera system, unlock doors and open windows, and even start driving without a key. It could also determine the exact location of the car.
However, Colombo has made it clear that it can’t actually interact with Tesla’s steering, throttle, or brakes, so at least we don’t have to worry about an army of remote-control electric vehicles doing a Fate reenactment.
Colombo says he reported the issue to Tesla’s security team, which is investigating the matter.
On a related note, early Wednesday morning, a third-party app called TezLab reported seeing “multiple thousand Tesla Authentication Tokens expiring at the same time.”
The TezLab application uses Tesla’s APIs which allow applications to perform operations such as accessing the car and activating or deactivating the anti-theft camera system, unlocking doors, opening windows, etc