David Colombo, better known as the 19-year-old Tesla hacker, has been receiving a crazy amount of attention recently and there’s a good reason for that. Well, maybe the crime isn’t so good but the feat is no laughing matter!
Mr. Colombo, now an infamous dark web hacker, at that young age, was able to remotely access the cars of 25 of the world’s largest electric vehicles, ‘EV’, manufacturers across 13 different countries. All because of a weakness in some third-party software. By abusing one little chink in the tech giant’s armor, he was able to start each vehicle up with no problem. He could even unlock the doors, blast music, and open up the windows however he pleased – from the comfort of his little hideaway.
How was he able to do this, you might wonder. Simply put, the vulnerabilities he discovered were not in Tesla’s software, to begin with. They were in that aforementioned third-party program. With this in mind, there were things he could not do, like steer or control how fast or slow the vehicles moved. However, this very young dark web hacker could collect private data from the hacked vehicles and that is the biggest danger.
For true cybersecurity veterans, app key theft is commonplace – enough for us consumers to grow numb to deep web security hack that occurs nearly every day. Because of this, we often don’t see the value in these key moments to educate consumers on the huge waves cyberattacks and cybersecurity are making in today’s world.
Now, why does this matter? Well, according to Colombo’s tweet, the faultline he ended up abusing came from the owners of these cars, not the company.
The whole compromise was only possible because of a ‘cybersecurity hygiene’ issue. A blunder that should never have occurred. The third-party program in question might have been a self-hosted data logger, as Tesla abruptly deprecated thousands of authentication tokens the day after Colombo posted his Twitter thread. Other Twitter users agreed with this viewpoint, pointing out that the app’s basic settings allowed just about anybody to have remote access to the cars.
Currently, automotive cybersecurity standards, SAE/ISO-21434 and UN Regulation 155 require manufacturers (also known as OEMs) to conduct threat analysis and risk assessment (TARA) on their whole vehicle design. OEMs are now held liable for cyber breaches caused by dark web hackers, as a result of this legislation.
That’s why it’s so strange, that such a savvy OEM like Tesla had flat out ignored the risks of exposing its APIs to third-party applications. Low-quality apps may be poorly safeguarded, allowing deep web hackers to exploit their flaws and use the app as a bridge into automobiles.
While responsibility lies with the customer, it’s Tesla’s job to screen these apps and limit the interface of their APIs to non-certified, third-party app providers.