Summary by Tesla
Disabling mobile access is now restriced to vehicle owners. Since this issue required an attacker to have been granted access to a vehicle by the owner, it was classified as P3.
Disabling mobile access is now restriced to vehicle owners. Since this issue required an attacker to have been granted access to a vehicle by the owner, it was classified as P3.
Tesla had misconfigured vehicle security settings that enabled guests who were shared Mobile Access by an Owner, the ability to use their guest credentials to turn off Mobile Access for all users. This same vulnerability let Guests override the Owner's other available security features like Valet Mode, PIN to Drive, and Glovebox PIN. Tesla addressed the issue by reconfiguring server-side protocol to only accept the Owner's credentials for all of these features.