How I Hacked 1000 + Tesla Cars using OSINT

I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas and AI security intern at Cisco,previously hunted on the Microsoft Bug Bounty Program and Google VRP
我是Harish SG,是一名安全研究员,在德克萨斯大学达拉斯分校攻读网络安全硕士学位,在思科大学担任人工智能安全实习生,之前曾在Microsoft漏洞赏金计划和谷歌VRP中被发现

I am sharing this article for security awareness and educational purposes only and I am sharing only personal opinions and none of these are related to my work at Cisco. I am not responsible if someone abuse this methods against tesla car owner and I wrote this article to bring awareness among tesla owner and Note this is not a vulnerability in Tesla vehicle or Tesla’s infrastructure

In this article I am gonna share How I used OSINT techniques to hack tesla cars and what was the reply from tesla when I reported about this to them and How can impacted tesla owners protect themselves
在这篇文章中,我将分享我如何使用 OSINT 技术来破解特斯拉汽车,以及当我向他们报告此事时特斯拉的回应是什么,以及受影响的特斯拉车主如何保护自己

What is teslamate? 什么是特斯拉酸盐?

TeslaMate is an open-source, self-hosted data logger for your Tesla vehicle. It’s designed for Tesla owners who want detailed insights into their driving habits, charging behavior, efficiency, and other metrics related to their Tesla vehicle.
TeslaMate 是一款用于 Tesla 车辆的开源自托管数据记录器。它专为希望详细了解其驾驶习惯、充电行为、效率以及与特斯拉汽车相关的其他指标的特斯拉车主而设计。

Here are some features and aspects of TeslaMate:
以下是 TeslaMate 的一些功能和方面:

Detailed Dashboards: TeslaMate provides visual dashboards that display data on drives, charges, efficiency, and more. It makes use of Grafana for creating visually appealing and detailed data visualizations.
详细的仪表板:TeslaMate 提供可视化仪表板,显示有关驱动器、费用、效率等的数据。它利用 Grafana 来创建具有视觉吸引力和详细的数据可视化。

Charging Stats: It provides insights into your charging habits, how much you’ve spent on electricity, efficiency, and more.

Drive Tracking: You can get detailed statistics about each drive, including the path taken, efficiency, and other relevant metrics.

Geofencing: This allows you to define specific areas (like “Home” or “Work”) and get statistics based on those areas. It can help in understanding how much you drive within specific regions.

Privacy: Since TeslaMate is self-hosted, all your data remains with you. Unlike some third-party services that might store your data on their servers, with TeslaMate, you have full control.
隐私:由于 TeslaMate 是自托管的,因此您的所有数据都保留在您身边。与某些可能将您的数据存储在其服务器上的第三方服务不同,使用 TeslaMate,您可以完全控制。

Updates & Community: Being open-source means there’s a community around it that can contribute to its development. This can lead to frequent updates, new features, and community support.

Integration with Home Automation Systems: Some advanced users have integrated TeslaMate with their home automation systems to make intelligent decisions based on vehicle state, like adjusting thermostats when the car is nearing home.
与家庭自动化系统集成:一些高级用户已将 TeslaMate 与他们的家庭自动化系统集成,以根据车辆状态做出智能决策,例如在汽车接近家时调整恒温器。

I used censys to find teslamate instances using this query “teslamate” i found that most of them secured with authentication
我使用 censys 使用此查询“teslamate”查找 teslamate 实例,我发现它们中的大多数都通过身份验证进行保护

How I Hacked 1000 + Tesla Cars using OSINT

I started to read documentation of the teslamate available here and while read the documentation I found that teslamate can installed and integrated with tesla cars without authentication
我开始阅读此处提供的 teslamate 文档 在阅读文档时,我发现 teslamate 无需身份验证即可安装并与特斯拉汽车集成

Then I used the following query to find all teslamate dashboard without authentication

How I Hacked 1000 + Tesla Cars using OSINT

Out of curiosity I opened one of results and I found this below response cached by censys. (This is not realtime) this means that instance is misconfigured and it does not have authentication.
出于好奇,我打开了其中一个结果,我发现下面由 censys 缓存的响应。(这不是实时的)这意味着实例配置错误,并且没有身份验证。

How I Hacked 1000 + Tesla Cars using OSINT

I did not opened dashboard since it might be illegal even though it got exposed publicly or it might be legal gray area so I tried to contact owner to get permission but unfortunately I failed in that attempt of finding the owner then out of curiosity to know what can an attacker do if they can access this misconfigured teslamate I started to read their documentation and project’s github repository. I attacker can do following in misconfigured teslamate without authentication.
我没有打开仪表板,因为它可能是非法的,即使它被公开曝光,或者它可能是合法的灰色地带,所以我试图联系所有者以获得许可,但不幸的是,我试图找到所有者失败了,然后出于好奇,想知道如果攻击者可以访问这个配置错误的 teslamate,我可以做什么,我开始阅读他们的文档和项目的 github 存储库。攻击者可以在没有身份验证的情况下在错误配置的 teslamate 中执行以下操作。

  1. Track live location 跟踪实时位置
  2. check if driver present in that car or not
  3. check if car is locked or not
  4. make online car to sleep
  5. check if trunk of car is open or not
  6. check if car is in sentry mode or not
How I Hacked 1000 + Tesla Cars using OSINT
Screenshot from the projects github repo
项目 github 存储库的屏幕截图
How I Hacked 1000 + Tesla Cars using OSINT
screenshot from Teslamates’repo
截图来自 Teslamates'repo
How I Hacked 1000 + Tesla Cars using OSINT
screenshot from Teslamates’repo
截图来自 Teslamates'repo
How I Hacked 1000 + Tesla Cars using OSINT
screenshot from Teslamates’repo
截图来自 Teslamates'repo

above screenshot shows what are the car data attacker can see in the misconfigured teslamate dashboard
上面的屏幕截图显示了汽车数据攻击者可以在配置错误的 Teslamate 仪表板中看到的内容

How can does this data can be used against tesla owners who have misconfigured teslamate dashboard?

Attacker can do physical damage to the tesla owner who have their cars connect to a misconfigured teslamate dashboard

How can tesla owner who has misconfigured teslamate protect themselves?

  1. Enable authentication in their teslamate’s instance by following this
    按照以下 在其 teslamate 的实例中启用身份验证
  2. If you are running this instance locally in home server then disable portforwarding of that specific port this dashboard running generally its 4000
    如果您在主服务器中本地运行此实例,则禁用该特定端口的端口转发,此仪表板通常运行其 4000
  3. Try to contact services such as Shodan and censys to remove the results of your instance
    尝试联系 Shodan 和 censys 等服务,以删除实例的结果

Response from Tesla when I reported about this issue to them and asked them to send push notification to users to remove this from internet via bugcrowd
当我向他们报告此问题并要求他们向用户发送推送通知以通过 bugcrowd 将其从互联网上删除时,特斯拉的回应

How I Hacked 1000 + Tesla Cars using OSINT
How I Hacked 1000 + Tesla Cars using OSINT

Thanks for reading my article!

Try hacking LLM :
尝试黑客 LLM :

Hacking into Bard :

Hacking into Facial Recognition system

Follow me on twitter

Follow me on linkedin :

原文始发于Harish SG:How I Hacked 1000 + Tesla Cars using OSINT

版权声明:admin 发表于 2023年11月2日 下午9:11。
转载请注明:How I Hacked 1000 + Tesla Cars using OSINT | CTF导航