Tesla security issues: what a kid did

The German teenager discovered the defect of an open source piece of software.

The 19-year-old German cybersecurity researcher, who accessed several Tesla cars remotely through a third-party defect, has a new trick: he hacks the email addresses of car owners to notify them that I am in danger.

Earlier this month, David Colombo discovered a malfunction in a piece of third-party open source software that allowed him to remotely hijack some functions on about two 24 Tesla models, including opening and closing doors or honking. In an attempt to notify the affected car owners, he then found a flaw in Tesla’s digital car key software that allowed them to learn their email addresses.

Read:  Elon Musk's gesture betrays Tesla's plans: all shareholders affected

A serious problem

Colombo said the flaw was in a Tesla or API programming interface. Following the public announcement, a Twitter user suggested that the contact details of the affected owners could be found in the code that allows two software components to communicate with each other, also known as an API endpoint.

“Once I was able to figure out the end point, I was able to see the email address associated with the Tesla API key, the car’s digital key,” Colombo said in an interview with Bloomberg. “You should not be able to carry sensitive information, such as an email address, using access that is already expired or revoked.”

Read:  HBO is facing a class action lawsuit over allegations that it provided Facebook with a history of unsolicited subscriber views. According to Variety, HBO is accused of providing Facebook with customer lists, allowing the social network to correlate viewing habits with their profiles. He also claims that HBO knows that Facebook can combine data because HBO is a major advertiser on Facebook, and Facebook can then use that information to redirect ads to its subscribers. Because HBO never received proper customer consent to do so, it is alleged that it violated the 1988 Video Privacy Protection Act (VPPA), according to the lawsuit. HBO, like other sites, discloses to users that it (and its partners) use cookies to deliver personalized ads. However, VPPA requires separate consent from users to share their video viewing history. "A standard privacy policy will not be enough," he said. Other streaming providers have been hit by similar situations, and TikTok recently agreed to pay $ 92 million for a (partial) violation of the VPPA. In another case, however, a judge ruled in 2015 that Hulu did not knowingly share Facebook data, which could determine a person's viewing history. The law firm involved in the HBO lawsuit previously won a $ 50 million deal with Hearst after alleging that it violated Michigan's privacy laws by selling subscriber data.

The teenager from Dinkelsbühl, Germany, said he shared the additional vulnerability with Tesla, and the company’s engineers wrote a fix to prevent it from happening in the future.

Colombo said his additional discovery should be eligible for an “error reward” from Tesla – according to company policy – but officials there have not confirmed an amount with him. He joked that he hoped the amount was high enough to cover the coffee bill he had accumulated working on the original defect in the past two weeks.

The Best Online Bookmakers October 14 2024

BetMGM Casino

BetMGM Casino

Bonus

$1,000