Authorized drivers can disable remote monitoring

Disclosed by
KLWTTS
  • Program Tesla
  • Disclosed date over 1 year ago
  • Points 10
  • Priority P3 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by Tesla

Disabling mobile access is now restriced to vehicle owners. Since this issue required an attacker to have been granted access to a vehicle by the owner, it was classified as P3.

Summary by KLWTTS

Tesla had misconfigured vehicle security settings that enabled guests who were shared Mobile Access by an Owner, the ability to use their guest credentials to turn off Mobile Access for all users. This same vulnerability let Guests override the Owner's other available security features like Valet Mode, PIN to Drive, and Glovebox PIN. Tesla addressed the issue by reconfiguring server-side protocol to only accept the Owner's credentials for all of these features.

Activity