Jonathan M. Gitlin - Jan 12, 2022 4:40 pm UTCEnlarge /
The downside with offering APIs to interact with a car is that someone else's security problem might become your own.
David Colombo explained in the thread that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owner's faults." He claimed to be able to disable a car's remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car's exact location.
However, Colombo clarified that he could not actually interact with any of the Teslas' steering, throttle, or brakes, so at least we don't have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment.
Colombo says he reported the issue to Tesla's security team, which is investigating the matter.
On a related note, early on Wednesday morning, a third-party Tesla app called TezLab reported that it saw the "simultaneous expiry of several thousand Tesla authentication tokens from Tesla's side." TezLab's app makes use of Tesla APIs that allow apps to do things like log in to the car and enable or disable the anti-theft camera system, unlock the doors, open the windows, and so on.