So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…
Since these important facts seem to drown between other comments, I‘ll add them here again 👇

This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.

[1/X]
Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.

Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.

[2/X]
I could also query the exact location, see if a driver is present and so on. The list is pretty long.

And yes, I also could remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla‘s😂

[3/X]
I think it‘s pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway.

Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.

[4/X]
That‘s why I would like to get this all fixed before I release any specific details regarding what exactly this all is about.

Next steps:
- Waiting for MITRE‘s reply regarding a CVE
- Preparing my Writeup
- Coordinating disclosure to affected owners with Tesla

[5/5]
Small addition (for media reporters):

As already stated in some other replies, it is not „full remote control“ as in being able to remotely control steering or acceleration & braking.

[6/7]
Yes, I potentially could unlock the doors and start driving the affected Tesla‘s.

No I can not intervene with someone driving (other than starting music at max volume or flashing lights) and I also can not drive these Tesla‘s remotely.

[7/7]
Addition as of 11. Jan 22:33 (CET)

Tesla‘s Security Team just confirmed to me they’re investigating and will get back to me with updates as soon as they have them.

[8/8]
The MITRE CVE Assignment Team reserved a CVE for it.

🎉

[9/9]

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with David Colombo

David Colombo Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(