“A few years ago, a hacker managed to exploit vulnerabilities in Tesla’s servers to gain access and control over the automaker’s entire fleet,” remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).
Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but “knowing that their network wasn’t the most secure, to say the least, he decided to go hunting for more bug bounties.”
After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, “I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was ‘Mothership’.” Mothership is the name of Tesla’s home server used to communicate with its customer fleet.
Any kind of remote commands or diagnostic information from the car to Tesla goes through “Mothership.” After downloading and dissecting the data found in the repository, Hughes started using his car’s VPN connection to poke at Mothership. He eventually landed on a developer network connection. That’s when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla’s fleet.
All he needed was a vehicle’s VIN number, and he had access to all of those through Tesla’s “tesladex” database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he’d submitted to Tesla. “Hughes couldn’t really send Tesla cars driving around everywhere…” reports Electrek, “but he could ‘Summon’ them…” Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and “used the information provided by Hughes to secure its network.”
Electrek calls it “a good example of the importance of whitehat hackers.”
of this story at Slashdot.
Source:: Slashdot