19-year-old David Colombo (@david_colombo_) on Monday revealed in a series of tweets that he was able to hack into and gain “remote control” over 25+ Tesla cars in 13 countries without the owners’ consent or knowledge using a security vulnerability he discovered — reports Automotive News.
So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…
— David Colombo (@david_colombo_) January 10, 2022
The self-described “IT Security Specialist & Hacker” clarified in a follow-up tweet that the security flaw he exploited for remote access was not a vulnerability within Tesla’s infrastructure or software, but rather a product of user error.
Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.
Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.[2/X]
— David Colombo (@david_colombo_) January 11, 2022
Explaining what he meant by “full remote control” in his original tweet, Colombo said he could disable Sentry Mode, open car doors/windows, control the sound system, flash headlights, enable Keyless Driving, ping a car’s exact location, find out if a driver is present, and more.
Colombo went on to say that the exploit does not allow him to remotely drive a “hacked” Tesla or mechanically intervene with someone’s driving, but it is potentially dangerous nonetheless.
I think it‘s pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway.
Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.
[4/X]
— David Colombo (@david_colombo_) January 11, 2022
Yes, I potentially could unlock the doors and start driving the affected Tesla‘s.
No I can not intervene with someone driving (other than starting music at max volume or flashing lights) and I also can not drive these Tesla‘s remotely.
[7/7]
— David Colombo (@david_colombo_) January 11, 2022
The teenager did not reveal the exact details of the software vulnerability but confirmed that only a small number of Tesla owners across the globe are affected.
Colombo revealed on Tuesday that Tesla’s Security Team had gotten in touch with him, confirming that they are currently investigating the issue. Tesla will get back to the cybersecurity specialist with any updates as soon as they have them.
The MITRE CVE Assignment Team reserved a CVE for it.
🎉
[9/9]
— David Colombo (@david_colombo_) January 11, 2022
What’s more, the MITRE Corporation will be adding the security flaw Colombo discovered to the Common Vulnerabilities and Exposures (CVE) list.
This isn’t the first time a security flaw or vulnerability has been discovered on a Tesla, but the electric vehicle (EV) giant has always been quick to deploy fixes.
