Tesla Fixes API Security Flaw Discovered by German Teenager
Earlier this month, one German teenager claimed to have hacked Tesla’s vehicles globally, and since the report, the teenage hacker has explained how he discovered the flaw in the automaker’s software.
19-year-old David Colombo discovered flaws on Tesla’s software that allowed him to learn the email addresses of a number of Tesla owners, according to Bloomberg.
Colombo had initially found the security issues using third-party, open-source software, which allowed him to hijack functionality on around 24 Tesla vehicles, including functions like honking the horn or opening and closing the doors.
Third-party companion services allow Tesla owners to leverage their vehicle’s data and controls, beyond the Tesla mobile app.
Tesla Hacker Finds In-Car Upgrade Purchases, New Languages and More in Source Code https://t.co/wq9dWut21F
— TeslaNorth.com (@RealTeslaNorth) July 16, 2021
Upon attempting to let the owners know, Colombo discovered he was also able to learn the email addresses of affected owners. There was a security flaw in the Tesla API that allowed him to learn email addresses.
In an interview on Monday night, Colombo said, “Once I was able to figure out the endpoint, I was indeed able to carry the email address associated with the Tesla API key, the digital car key.” Colombo continued, “You shouldn’t be able to carry sensitive information like an email address using an access that is already expired or revoked.”
After the incident, Colombo said he shared the flaws with Tesla’s engineers who later fixed the issue, though he hopes the company holds true to its “bug bounty” policy, in which Tesla would pay him a certain amount of money for the discovery of the bug.