Since these important facts seem to drown between other comments, I‘ll add them here again 👇
This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.
Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.
Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.
I could also query the exact location, see if a driver is present and so on. The list is pretty long.
And yes, I also could remotely rickroll the affected owners by playing Rick Astley on Youtube in their Tesla‘s😂
I think it‘s pretty dangerous if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway.
Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.
That‘s why I would like to get this all fixed before I release any specific details regarding what exactly this all is about.
– Waiting for MITRE‘s reply regarding a CVE
– Preparing my Writeup
– Coordinating disclosure to affected owners with Tesla
Small addition (for media reporters):
As already stated in some other replies, it is not “full remote control” as in being able to remotely control steering or acceleration & braking.
Yes, I potentially could unlock the doors and start driving the affected Tesla‘s.
No I can not intervene with someone driving (other than starting music at max volume or flashing lights) and I also can not drive these Tesla‘s remotely.
Addition as of 11. Jan 22:33 (CET)
Tesla‘s Security Team just confirmed to me they’re investigating and will get back to me with updates as soon as they have them.
The MITRE CVE Assignment Team reserved a CVE for it.