Published in

5 min read

1 day ago

I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas and AI security intern at Cisco,previously hunted on the Microsoft Bug Bounty Program and Google VRP

I am sharing this article for security awareness and educational purposes only and I am sharing only personal opinions and none of these are related to my work at Cisco.

I am not responsible if someone abuse this methods against tesla car owner and I wrote this article to bring awareness among tesla owner and Note this is not a vulnerability in Tesla vehicle or Tesla’s infrastructure

In this article I am gonna share about a vulnerability in a thirdparty software called teslalogger and work from maintainer after my report to mitigate this risk

Teslalogger is an open-source, self-hosted data logger for your Tesla vehicle. It’s designed for Tesla owners who want detailed insights into their driving habits, charging behavior, efficiency, and other metrics related to their Tesla vehicle.

repo:TeslaLogger

I found this super cool project when ​I googled around for some interesting opensource projects around automobile industry to experiment with it

I installed the teslalogger in my local laptop using the docker image and I ran nmap to learn more about the teslalogger

from the above port scan we can know that project has following services

  1. MariaDB (port 3306)
  2. Graphana (port 3000)
  3. admin panel (port 8888)

So I need to get access into any of above service but I for me MariaDB and Graphana was more interesting and then I tried to connect with MariaDB with default credentials found in the repo using DBweaver and dump the Tesla car API key using this SQL query SELECT * from cars;

tesla token and tesla refresh token is something like digital car key to your cars so once attacker have acess to these he can literally control your car while sitting on his couch

Tesla API has proper RBAC but tesla logger requires following permission to run properly

Since the API key already given the above permissions attacker can abuse the API Key easily to add new driver , open door and steal the things inside car, turn air conditioner etc

I also found an another method to get access to the API key of the car rather than dumping the DB and I also found some versions of teslalogger running on Rasberry PIs did not exposed their DBs on internet

I found graphana dashboard running on port 3000 using port scan

I took the shot and tried logging in with so called default credentials which, kinda unsurprisingly, but still hilariously it worked.

Building a Query String for Grafana (Explore) and querying the API tokens wasn’t magic after that.

That was the point where I was able to fully confirm that in this case it is indeed possible that some external attacker could do these steps and end up having substantial control over the some one’s Tesla.

I found tesla logger is vulnerable to CWE — 256 (https://cwe.mitre.org/data/definitions/256.html) ie storage of senstive information such as password , API keys etc as plaintext in database or Data Store

Teslalogger is vulnerable to CWE-1188 ie The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

Developers often choose default values that leave the software as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.

I found more than 30 plus teslalogger instances on the public internet using censys most of them are from European Union

once I found this I reported this to the developer and maintainer of the teslalogger by finding this WhatsApp phone number on internet using google dorking

No! It is an amazing piece of software with an awesome maintainer. And I do not want to put any blame on the maintainer, since he is interested in making it secure for all users as much as I am. He was super quick and he patched as soon as I reported. I would like to thank him for developing this amazing software and supporting security researchers like to me to improve the security of the software

Mitigation: https://github.com/bassmaster187/TeslaLogger/commit/85a1680b60be97c45849eb66de094194bad3dedb#diff-f7564391a6870cf15ca7940ca2666fb1508cdb617aa075ebcc046930e372aea3

Maintainer has enabled encryption to store tesla API key and refresh token in Database. so even though attacker compromises the Data Base or graphana he cannot get the API Key in plain text. Also maintainer has added authentication in the admin panel already

I am disclosing the findings with appropriate permission from maintainer

Why I did not reported this directly to tesla product security?

This is was their reply when I reported an security issue with tesla mate (3rd party software like) already few months ago

Recommendations for all teslalogger users

I recommend all users of tesla logger software to upgrade the software to the latest version and change the Default credentials of Database and graphana when you deploy this software somewhere on the cloud exposing the services on public internet.

I recommend all users tesla logger software deployed on the cloud contact the search engine websites such as shodan and censys etc to remove your services from their results

I working on getting a CVE from MITRE for this issue , I will update here once I have an update from them.

Thanks for reading my article!

Try hacking LLM : https://github.com/harishsg993010/DamnVulnerableLLMProject

Hacking into Bard : https://infosecwriteups.com/hacking-google-bard-24f9dfa7b455

Hacking into Facial Recognition system : https://medium.com/bugbountywriteup/hacking-into-facial-recognition-system-using-generative-ai-69a741077f0e

Follow me on twitter: https://twitter.com/CoderHarish

Follow me on linkedin :https://www.linkedin.com/in/harish-santhanalakshmi-ganesan-31ba96171/

Special Thanks to: Christian P(Tesla Logger Maintainer)

Post
Filter
Apply Filters