- A 19-year-old said he was able to hack into over 25 Teslas via a bug in a popular data tool.
- David Colombo's tweet about the issue went viral, but he waited to reveal the vulnerability until it was fixed.
A 19-year-old security researcher said he was able to hack into over 25 Teslas from around the world.
On Monday, David Colombo published a blog post explaining how he was able to remotely hack into the
The teenager from Dinkelsbühl, Germany first revealed
—David Colombo (@david_colombo_) January 11, 2022
Colombo said the vulnerability allowed him to remotely access multiple Tesla features, including unlocking doors and windows, and starting keyless driving. The teen also said he could turn on the stereo or honk the horn, as well as view the car's location and whether the driver was present. However, he said he does not believe it would be possible to move the vehicle remotely.
"There should be no way at all that someone could literally walk up to some Teslas they do not own and take them for a drive," Colombo said in his blog post on Medium. "I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night."
Colombo explained that the security issue revolved around how TeslaMate stored sensitive information that's needed to link the program to the car. The
Colombo said he first became aware of the vulnerability in one Tesla in October and was able to contact the owner. He found over 20 more vulnerable Teslas in January, but faced difficulty contacting the owners.
In his efforts to alert Tesla owners to the issue, Colombo also found a flaw in the carmaker's software for its digital car key that allowed him to learn a Tesla owner's email address.
After privately reporting the issues to TeslaMate, as well as Tesla's security team, the third party tool pushed a software fix and Tesla's security team revoked all affected access tokens, as well as notified the owners. TeslaMate and a Tesla spokesperson did not respond to a request for comment from Insider, but TeslaMate told TechCrunch that the company pushed out the update within hours of receiving Colombo's email.
The German security researcher isn't the first to hack a Tesla. Last year, two researchers showed how a drone could launch an attack via WiFi and open a Tesla's doors. In 2020, another researcher managed to hack into a Tesla's keyless entry system in 90 seconds by spoofing the signal.