So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…
Since these important facts seem to drown between other comments, I‘ll add them here again 👇
This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.
[1/X]
This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.
[1/X]
Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.
Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.
[2/X]
Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.
[2/X]
I could also query the exact location, see if a driver is present and so on. The list is pretty long.
And yes, I also could remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla‘s😂
[3/X]
And yes, I also could remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla‘s😂
[3/X]
I think it‘s pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway.
Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.
[4/X]
Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.
[4/X]
That‘s why I would like to get this all fixed before I release any specific details regarding what exactly this all is about.
Next steps:
- Waiting for MITRE‘s reply regarding a CVE
- Preparing my Writeup
- Coordinating disclosure to affected owners with Tesla
[5/5]
Next steps:
- Waiting for MITRE‘s reply regarding a CVE
- Preparing my Writeup
- Coordinating disclosure to affected owners with Tesla
[5/5]
Small addition (for media reporters):
As already stated in some other replies, it is not „full remote control“ as in being able to remotely control steering or acceleration & braking.
[6/7]
As already stated in some other replies, it is not „full remote control“ as in being able to remotely control steering or acceleration & braking.
[6/7]
Yes, I potentially could unlock the doors and start driving the affected Tesla‘s.
No I can not intervene with someone driving (other than starting music at max volume or flashing lights) and I also can not drive these Tesla‘s remotely.
[7/7]
No I can not intervene with someone driving (other than starting music at max volume or flashing lights) and I also can not drive these Tesla‘s remotely.
[7/7]
Addition as of 11. Jan 22:33 (CET)
Tesla‘s Security Team just confirmed to me they’re investigating and will get back to me with updates as soon as they have them.
[8/8]
Tesla‘s Security Team just confirmed to me they’re investigating and will get back to me with updates as soon as they have them.
[8/8]
The MITRE CVE Assignment Team reserved a CVE for it.
🎉
[9/9]
🎉
[9/9]
• • •
Missing some Tweet in this thread? You can try to
force a refresh
