The day is starting out a little odd for Tesla investors. A teenager calling himself a 19-year-old security specialist in his Twitter profile claims to have hacked a number of Tesla vehicles. It isn’t the first alleged hack of Tesla cars, but the problem is it might be the first solo teen to claim to have succeeded.
He twits — So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them,” wrote David Colombo in a tweet on Jan. 10, later adding, “I could take around two dozen Tesla‘s in 13 countries for a drive right now.”
David Colombo, a self-described information technology security specialist, tweeted Tuesday that the flaws gave him the ability to unlock doors and windows, start the cars without keys, and disable their security systems.
Colombo, who is based in Germany, also claimed he can see if a driver is present in the car, turn on the vehicles’ stereo sound systems and flash their headlights.
The problem involves an insecure way the software stores sensitive information that’s needed to link the cars to the program, Colombo said. In the wrong hands, that information could be stolen and repurposed by hackers to send malicious commands to the cars, he said. He showed Bloomberg screenshots of a private conversation over Twitter where one of the affected owners allowed him to remotely honk his car’s horn.
In an interview, Colombo provided screenshots and other documentation of his research that identified the maker of the software and gave details of the vulnerabilities. He asked that Bloomberg not publish specifics because the affected organization hasn’t yet published a fix. Colombo said he could access more than 25 Teslas in at least 13 countries, and he took to Twitter when he wasn’t able to contact most of the owners directly.
The teenager didn’t reveal the exact details of the software vulnerability, but said it wasn’t within Tesla’s software or infrastructure, and added that only a small number of Tesla owners globally were affected. His Twitter thread elicited a robust response, with more than 800 retweets and over 6,000 likes.
“It’s primarily the owners (& a third party) fault,” Colombo said in a response to questions from Bloomberg News. “This will be described more in detail in my writeup. But glad to see Tesla taking action now.”
A representative for Tesla in China declined to comment, while the carmaker’s global press team didn’t respond to an email seeking comment outside of West Coast business hours.
According to one online report, U.S.-based Tesla has a vulnerability disclosure platform where security researchers can register their own vehicles for testing, which Tesla can pre-approve. The company pays up to $15,000 for a qualifying vulnerability.
Colombo later tweeted he has been in touch with Tesla’s security team, and said they were investigating the issue. The team said they will come back to him with any updates, he said.
Thank you for visit — Anany Sharma