the importance of applying double authentication

A hacker claims to have taken remote control of more than 25 Tesla cars without the knowledge of the owners. The flaw would not come from the manufacturer’s infrastructure, but the latter should nevertheless review its policy on double authentication.

Source: Frandroid

Is Tesla at fault? This is the question that can be asked when discovering the allegations of David Colombo, a 19-year-old hacker who claims on Twitter to have taken remote control of more than 25 Tesla electric cars in 13 different countries. It is above all an opportunity to remind you of good security practices and the importance of double authentication.

To fully understand the subject, you should know that David Colombo explains being able to activate the Sentinel mode of vehicles (the car’s activity monitoring system) as well as the option of driving without a key, to open the doors and windows or to know the exact geographical position of each Tesla.

I could also query the exact location, see if a driver is present and so on. The list is pretty long.

And yes, I also could remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla’s😂

[3/X]

— David Colombo (@david_colombo_) January 11, 2022

The hacker claims to have exploited a software flaw, but specifies however that “it’s not a vulnerability in Tesla’s infrastructure. It’s the fault of the owners [de voiture]. That’s why I have to report it to the owners[…] “.

Note that the hacker does not have control over the steering wheel or the brakes of the Tesla remotely. However, even if the car is moving, he can change the volume of the radio or activate the lights.

The flaw does not come from Tesla

The story therefore remains rather vague, but we can assume that the security flaw comes from a third-party application allowing the user to take control of a car. We think in particular of those who go through the Jeedom home automation software, but there are others.

David Colombo probably prefers to keep the secret so as not to show a ready-made path to the fault to malicious hackers until the breach has been closed. However, he tries to reassure his world a little by emphasizing that only a small number of people are affected around the world. In addition, Tesla teams are in contact with the hacker to launch an investigation and try to correct the problem.

Activate two-factor authentication on Tesla

Either way, these kinds of incidents are a reminder of the importance of two-factor authentication (2FA) on all of our connected devices. However, if Tesla is not at the origin of the flaw mentioned here, the manufacturer should apply a stricter policy for the safety of its users.

Indeed, double authentication exists on Tesla, but it is not mandatory. However, this method would easily protect against a large majority of security breaches. Instead of letting a hacker connect to their vehicle without their knowledge, the Tesla owners concerned would then have received a message (SMS, email, etc.) asking to confirm the connection. This would have prompted them to change their password and do some checking. Without being a panacea, 2FA is reassuring.

Let’s take the example of Google, which already forces double authentication to improve the security of its users. Other companies are doing the same, like Amazon on its Ring cameras after having been hacked in particular.

Tesla unveils a 2022 Model S with some minor changes

The new Tesla Model S will not arrive this year in France. Orders are blocked. Nevertheless, Tesla has just unveiled a new variant with some changes.
Read more

Logo

To follow us, we invite you to download our Android and iOS application. You can read our articles, files, and watch our latest YouTube videos.

Leave a Comment