Home /A Teen Took Control of Teslas by Hacking a Third-Party App
January 15, 2022
A Teen Took Control of Teslas by Hacking a Third-Party App
On Friday, Russia did the previously unimaginable: It actually arrested a bunch of ransomware operators. Not only that, but members of the notorious group REvil, which has been behind some of the biggest attacks of the last several years, including IT management firm Kaseya and meat giant JBS. Russian president Vladimir Putin had previously given ransomware hackers a free pass. It’s not clear yet whether this was a calculated political move, a sign of a broader crackdown, or both, but it’s certainly a watershed moment.
Telecoms around the world have pushed back against Apple’s Private Relay, a not-quite-VPN that bounces your traffic through a couple of servers to give you extra anonymity. T-Mobile in the US recently blocked it for customers who had parental control filters. It’s unclear why they’ve taken those measures against Apple and not the many, many VPNs that work unfettered, but it may have to do with the potential scale of Apple customers who could sign up for the service.
And that’s not all! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.
A 19-year-old security researcher named David Colombo detailed this week how he was able to remotely unlock the doors, open the windows, blast music, and start keyless driving for dozens of Teslas. The vulnerabilities he exploited to do so aren’t in Tesla software itself, but in a third-party app. There are some limits to what Colombo could accomplish; he couldn’t do anything in the way of steering or speeding up or slowing down. But he was able to garner lots of sensitive data about the affected vehicles. Cars are computers now, perhaps none more so than Teslas, which means they come with computer problems like third-party software causing major problems.
As tensions mount along the border between Russia and Ukraine, someone defaced over 70 official Ukrainian government websites this week, placing a notice that people should “prepare for the worst.” While it’s tempting to assume that it was the work of the Russian government, this isn’t a particularly sophisticated hack despite the widespread impact and visibility. (That’s also not to say it wasn’t Russia; it’s just impossible to know right now.) The White House also warned this week that Russia was planning a “false flag” to justify an invasion, so presumably more to come on this.
The US hasn’t embraced Covid-19 contact tracing apps despite the core functionality being built into every iOS and Android phone. Other countries, though, have seen much wider adoption. That includes Germany, where police recently used data from the Luca contact tracing app to figure out who had been at a specific restaurant on a specific night in November, and used that information to identify 21 potential witnesses. Law enforcement has said they won’t use that data any further after a public outcry. But the incident represents exactly the kind of worst-case scenario privacy advocates had warned about, at a time when public confidence in contact tracing is more important than ever.
The developer behind two widely-used open source libraries effectively broke his own code this week, disrupting thousands of projects in the process. The changes caused applications to print nonsense messages in an infinite loop. The developer appeared motivated to make a statement about large companies profiting off of his work for free, but in the process made life pretty miserable for users of all stripes.