A 19-year-old security researcher describes how he remotely hacked into over 25 Teslas
- A 19-year-old said he was able to hack into over 25 Teslas via a bug in a popular data tool.
- David Colombo's tweet about the issue went viral, but he waited to reveal the vulnerability until it was fixed.
A 19-year-old security researcher said he was able to hack into over 25 Teslas from around the world.
On Monday, David Colombo published a blog post explaining how he was able to remotely hack into the cars via security bugs in TeslaMate, a popular open source logging tool that tracks anything from the Tesla's energy consumption to location history.
The teenager from Dinkelsbühl, Germany first revealed news of the vulnerability on Twitter earlier in January, but waited to fully detail the issue until the bugs had been fixed.
—David Colombo (@david_colombo_) January 11, 2022
Colombo said the vulnerability allowed him to remotely access multiple Tesla features, including unlocking doors and windows, and starting keyless driving. The teen also said he could turn on the stereo or honk the horn, as well as view the car's location and whether the driver was present. However, he said he does not believe it would be possible to move the vehicle remotely.
"There should be no way at all that someone could literally walk up to some Teslas they do not own and take them for a drive," Colombo said in his blog post on Medium. "I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night."
Colombo explained that the security issue revolved around how TeslaMate stored sensitive information that's needed to link the program to the car. The cybersecurity researcher explained that the information, including the car's API Key, could be repurposed to remotely send commands to the exposed Teslas and allow hackers to retain long-term access to the cars without the driver's knowledge.
Colombo said he first became aware of the vulnerability in one Tesla in October and was able to contact the owner. He found over 20 more vulnerable Teslas in January, but faced difficulty contacting the owners.
In his efforts to alert Tesla owners to the issue, Colombo also found a flaw in the carmaker's software for its digital car key that allowed him to learn a Tesla owner's email address.
After privately reporting the issues to TeslaMate, as well as Tesla's security team, the third party tool pushed a software fix and Tesla's security team revoked all affected access tokens, as well as notified the owners. TeslaMate and a Tesla spokesperson did not respond to a request for comment from Insider, but TeslaMate told TechCrunch that the company pushed out the update within hours of receiving Colombo's email.
The German security researcher isn't the first to hack a Tesla. Last year, two researchers showed how a drone could launch an attack via WiFi and open a Tesla's doors. In 2020, another researcher managed to hack into a Tesla's keyless entry system in 90 seconds by spoofing the signal.
- Samsung Galaxy Watch 5 review: Value champion in the Android smartwatch space
- Best iPhone under ₹30,000
- Best earbuds under ₹1500
- Nykaa enters into a JV with Dubai-based fashion retailer Apparel Group
- Axis MF launches a Nasdaq 100 focused Fund of Fund
- Tata Tiago Electric Car
- HCL Tech
- World Heart Day 2022
- Apple Tablets in Amazon Sale
- RBI Repo Rate
- Akash Ambani
- Amazon festival Sale
- Upcoming new Mobile in October
- Amazon Festival Sale
- Best Companies for Work
- India's Richest People
- RBI Interest Rate hike
- Upcoming Smartphone in 2022
- Top 10 Colleges in India
- Top 10 Airlines in World