Security researcher claims to have hacked into over 25 Teslas in 13 countries

Security researcher claims to have hacked into over 25 Teslas in 13 countries

Image:
Security researcher claims to have hacked into over 25 Teslas in 13 countries

The problem is not with Tesla's system or infrastructure, but rather with the third-party software, he says

A 19-year-old security researcher claims to have uncovered a security flaw in third-party software provided for Tesla vehicles that could enable hackers to take control of some of the vehicle's functionality from the outside.

David Colombo, who is from Germany, said he could remotely access some functions of more than 25 Tesla cars in 13 countries by exploiting the flaw, without the owners' knowledge.

He was able to see if a driver was in the car and could identify its exact location, Colombo claimed.

In addition, he was able to remotely open the doors and windows of the cars, disable their security systems, start the engine, flash headlights, turn on their radios and "remotely rick roll the affected owners by playing Rick Astley on YouTube in their Teslas".

While Colombo claimed in a Monday tweet that he had "complete remote control" of the Teslas, he later clarified that he was never able to "remotely manage steering, acceleration or brakes" of those vehicles.

"Yes, I potentially could unlock the doors and start driving the affected Teslas," he tweeted.

"No I cannot intervene with someone driving (other than starting music at max volume or flashing lights) and I also cannot drive these Teslas remotely."

Colombo noted that the problem is not with Tesla's system or infrastructure, but rather it is the "fault" of the owner.

"It's primarily the owners (and a third party) fault," Mr Colombo told Bloomberg News.

However, the way the software stores sensitive data that is needed to link the cars to the programme is insecure, he added.

"This shouldn't happen. Especially if we're putting cars on the internet and trying to make them secure.

"Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers," he said, adding that "everyone needs to work together" on this particular issue.

Colombo also told the publication that Tesla's security team has confirmed to him that they were investigating the vulnerability.

Because the software provider has yet to release a fix, he requested Bloomberg not to release details of the flaw.

Colombo's Twitter thread went viral online, drawing more than 6,600 likes, 1,300 shares, and nearly 300 comments.

He has previously claimed to have discovered flaws in the US Defense Department's network. According to his LinkedIn page, Colombo wrote his first piece of code at the age of 10. He has also founded a company whose goal is to "help every business to get protected from the ever-evolving and dangerous threat actors in the cyber space."

Like many tech firms, Tesla has a vulnerability disclosure platform where security researchers can report security flaws in the company's products. The company pays up to $15,000 for a qualifying vulnerability.

This is not the first time that a security flaw has been reported in Tesla's vehicles.

In 2020, a researcher claimed that they had discovered multiple security vulnerabilities in Tesla's firmware update mechanism after reverse engineering the display and instrument cluster of a Tesla Model 3.

In 2019, two white hat hackers said that they were able to extract a trove of personal and unencrypted data about vehicle owners from salvaged Tesla Model X, Model S and Model 3 vehicles.

Also in 2019, a group of security researchers claimed that they were able to hack into the navigation system of a Tesla Model 3 and get the vehicle to turn itself on.