A recent discovery by a security researcher has shed light on a critical vulnerability in TeslaLogger, a third-party program used to collect data from Tesla vehicles.

TeslaLogger, an open-source data logger for Tesla cars, was found to have unsafe default configurations. These settings could allow unauthorized access to TeslaLogger instances. Importantly, this vulnerability does not originate within Tesla vehicles or Tesla’s infrastructure.

Compromised Tesla tokens, including access tokens and refresh tokens, grant attackers complete remote control over the vehicle. When Tesla integrations utilize the Tesla API, this vulnerability becomes a significant concern.

While Tesla’s API employs Role-Based Access Control (RBAC), some logger programs for Tesla cars request excessive permissions. This allows hackers to exploit the API key and manipulate the car’s state, potentially leading to unauthorized access, vehicle control, and even safety risks.

Even if the database housing the API keys is not exposed, alternative methods exist to obtain them. Certain Tesla logger implementations on Raspberry Pi devices inadvertently exacerbate the issue by carelessly disclosing the API key.

The security researcher promptly reported this vulnerability to the TeslaLogger maintainer, who swiftly and effectively implemented the necessary measures to mitigate the risk. Addressing such flaws is crucial to ensuring the security of Tesla owners and their vehicles.