White hat hacker accesses 25+ Teslas

Plus, Safari flaws are patched and the FBI warns of job recruitment scams

Nineteen-year-old David Columbo, a security researcher in Germany, was able to take over most of the functions of more than 25 Teslas around the world by hacking into their third-party software. Checking the security of the network ports from a potential client’s company, Columbo happened upon TeslaMate, an open source, self-hosted data logger for Tesla. Exploring further, Columbo was able to run commands on specific Teslas such as “disable Sentry Mode,” “unlock the doors,” “open the windows,” and even “start Keyless Driving,” though he could not get access to the steering, accelerator, and brakes. It’s important to note this was not due to a flaw in Tesla’s infrastructure directly. 

“We need more researchers like David Colombo, he’s done a fantastic job,” commented Avast Security Evangelist Luis Corrons. “He has uncovered a number of problems that are responsible for the security issues he has found like a lack of encryption or default credentials. Vulnerabilities can be found anywhere, but with software not developed with security in mind the results are catastrophic. There are a number of lessons that can be learned here.” Tesla and the makers of TeslaMate have secured the vulnerabilities after learning about them. For more on this story, read Columbo’s report on Medium

Life360 plans to stop selling precise location data

In their latest quarterly activities report, the founder and CEO of location sharing app Life360 announced that the San Francisco-based company would phase out all of its location data deals, except with Allstate’s Arity. Currently, the company sells the precise location of its 35 million individual users to about a dozen data brokers, but it plans to shift into aggregated data instead of individual. “Life360 recognizes that aggregated data analytics (for example, “150 people drove by the supermarket”) is the wave of the future, and that businesses will increasingly place a premium on data insights that do not rely on device-level or other individual user-level identifiers,” the announcement said. For more on this story, see The Markup.

Safari flaws allowed browser and webcam takeover

A group of macOS vulnerabilities, which were fixed by Apple at the end of 2021, allowed potential attackers to take over the Safari browser, exposing users’ open online accounts, microphones, and webcams. The exploits abused the features that are trusted between iCloud and Safari, such as document-sharing mechanisms. “The attacker is basically punching a hole in the browser,” said researcher Ryan Pickren, who disclosed the vulnerabilities to Apple. “So if you’re signed in to Twitter.com on one tab, I could jump into that and do everything you can from Twitter.com. But that’s nothing to do with Twitter’s servers or security; I as the attacker am just assuming the role that you already have in your browser.” For more, see Wired.

LockBit 2.0 claims to have stolen French Ministry files 

Last week, the LockBit 2.0 ransomware group posted on its data leak site that it stole over 9,000 files from the French Ministry of Justice and that it would post the stolen data if the ransom was not paid by February 10. Cybercriminals using Lockbit 2.0 usually threaten to publish data from victims who don’t pay the ransoms it demands. This “double extortion” technique puts extra pressure on the victim to pay. "The Ministry of Justice has become aware of the alert and immediately took steps to carry out the necessary checks,” a spokesperson told Politico, without providing further information about the operation's scale. 

FBI warns of job recruitment scams

In a public service announcement published this week, the FBI reported a current trend whereby scammers “exploit security weaknesses on job recruitment websites to impersonate legitimate businesses, threaten company reputation and defraud job seekers.” The FBI says the scammers may appear credible to the user because they use legitimate information to imitate the businesses. Since early 2019, the average reported loss from this scheme is almost $3,000 per victim (plus, the victim’s credit score also usually suffers). In the PSA, the Bureau provides a list of recommendations for both employers and job seekers to recognize and avoid this scam.

This week’s ‘must-read’ on The Avast Blog

At first glance, the Google Topics initiative seems like a win for privacy advocates. At this point, though, it's still unclear how will things pan out over time. Tune in for our team's thoughts.

--> -->