[BreachExchange] Teen Tesla Hacker Accessed Owners’ Email Addresses to Warn Them

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Tue Jan 25 09:10:14 EST 2022


https://finance.yahoo.com/news/teen-tesla-hacker-accessed-owners-004233548.html

(Bloomberg) -- The 19-year-old cybersecurity researcher who remotely
accessed dozens of Tesla Inc. vehicles through a third-party flaw, has a
new trick: hacking the car owners’ email addresses to notify them they’re
at risk.

Earlier this month, David Colombo discovered a flaw in a piece of
third-party open source software that let him remotely hijack some
functions on about two dozen Teslas, including opening and closing the
doors or honking the horn. In trying to notify the affected car owners, he
then found a flaw in Tesla’s software for the digital car key that allowed
him to learn their email addresses.

Colombo said the defect was in a Tesla application programming interface,
or API. After he publicized his first discovery, a Twitter user suggested
contact details for the affected owners could be found in the code that
allows two pieces of software to communicate with each other, also known as
an API endpoint.

“Once I was able to figure out the endpoint, I was indeed able to carry the
email address associated with the Tesla API key, the digital car key,”
Colombo said in an interview Monday with Bloomberg Television. “You
shouldn’t be able to carry sensitive information like an email address
using an access that is already expired or revoked.”

The teenager, from Dinkelsbühl, Germany, said he has shared the additional
vulnerability with Tesla, and the car company’s engineers have written a
fix to prevent it from happening in the future.

Tesla didn’t respond to a request for comment. Colombo said his additional
discovery should be eligible for a “bug bounty” from Tesla -- consistent
with the company’s policy -- but officials there haven’t confirmed an
amount with him. He joked that he hopes the sum is big enough to cover the
coffee bill he’s amassed working on the original flaw the last two weeks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220125/764b8758/attachment.html>


More information about the BreachExchange mailing list