German Teenager Explains: How I Hacked Tesla Cars Worldwide

Earlier this month, 19-year-old David Colombo (@david_colombo_) revealed he was able to hack into and gain “remote control” over 25+ Tesla cars in 13 countries without the owners’ consent or knowledge using a security vulnerability he discovered.

Now that the pertinent authorities have been informed and the security flaws he discovered have largely been patched, Colombo has published a detailed write-up explaining exactly how he was able to hack his way into more than two dozen Teslas (and uncover a vulnerability affecting many more) by “accident” and “curiosity,” as he puts it.

The German cybersecurity expert was able to gain access to Teslas thanks to a combination of exploits he found for the third-party TeslaMate companion app that many owners are fond of (all of which have since been patched in version 1.25.1 of the app) and Tesla owners’ indolence in changing default passwords, although he notes Tesla itself “could have done steps to prevent this all from happening.”

Once he had gained access to a Tesla that was vulnerable to this exploit, Colombo was able to:

  • Unlock the doors.
  • Open the windows.
  • Start Keyless Driving.
  • Share videos to the car’s infotainment system.
  • Control music.
  • Change climate control settings.
  • Honk the horn and flash the lights.

Renowned cyber security researcher John Jackson said on Twitter that it would also have been possible to use the “Summon” feature to get the car moving, although in a small radius and without actual steering control, with this kind of access.

https://twitter.com/johnjhacking/status/1481035382640693248

Here’s how Colombo gained access to random Teslas all around the world, condensed into a step-by-step guide by the hacker himself:

  • Make sure they run with the insecure default Docker configuration (this should be fixed by now, as user please pull the latest version asap).
  • Go to port 3000 to access the Grafana dashboard.
  • Login using default credentials (of course only do that with explicit authorization).
  • Go to the Explorer tab.
  • Use the Query Builder to extract the API and refresh tokens.
  • Have fun playing around with a Tesla (of course only with vehicles you own).

Once again, do note that the vulnerability Colombo originally exploited has since been patched, so this is now only possible to do with a Tesla you own and/or have the right TeslaMate credentials for.

After discovering the security hole, Colombo worked with both Tesla and the developers of TeslaMate to get things stitched up and prevent any potential malicious exploitation.