German cybersecurity researcher David Colombo stunned Tesla this week when he discovered a remote control security flaw in a third-party app that can access the EV maker’s electric car software, then promptly hacked 25 Tesla cars in 13 countries.
In what has been described as “the biggest discovery of his young career,” the 19 year-old shared his finding on Twitter, because thankfully he was not a malicious hacker.
Some questioned the motive of the young cybersecurity expert, but Colombo says he only sent commands to cars with owner’s permissions.
I only sent commands to cars where I had the explicit permission of the owner (luckily I was able to figure out a few of them).
For all others, the majority, I only validated access (without sending any actual commands to the cars) and then notified the Tesla Security Team.
— David Colombo (@david_colombo_) January 20, 2022
In fact, he was very concerned that he was not able to alert the owners that he had hacked their cars. According to him, it was not a Tesla software fault but a flaw introduced by the car owners, themselves.
“This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners’ faults. That’s why I would need to report this to the owners as stated above,” he said.
“Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge. Regarding what I‘m able to do with these Tesla’s now, this includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.”
“I could also query the exact location, see if a driver is present and so on. The list is pretty long,” he said.
He also joked that he could “Rick-roll” the Tesla owners (a colloquial term for playing musician Rick Astley’s “Never Gonna Give You Up” randomly to prank people).
Comedian Conan O’Brien also jumped in on the joke, saying on Twitter on Friday (Australia time) that it explained why his car was driving through Bucktail, Nebraska (a non-existent location that, as with Timbuktu, is meant to equate to “the middle of nowhere”.)
A hacker has taken control of 25 Teslas, which explains why right now I’m driving through Bucktail, Nebraska.
— Conan O'Brien (@ConanOBrien) January 19, 2022
But on a serious note, Colombo clarified on Twitter that the hack he’d discovered did not allow complete remote control of the Tesla cars, such as steering, acceleration and braking.
However, it could still allow a potential hacker to turn music on and off, or flash the lights constantly, which in themselves could cause accidents if they distracted drivers from safe decision-making.
He said that the Tesla security team contacted him and would be getting back to him.
Last Friday, Colombo said he’d like to see Tesla implement different API scopes, referring to the ability to which an encrypted key allows one program to access another.
Bridie Schmidt is associate editor for The Driven, sister site of Renew Economy. She has been writing about electric vehicles since 2018, and has a keen interest in the role that zero-emissions transport has to play in sustainability. She has participated in podcasts such as Download This Show with Marc Fennell and Shirtloads of Science with Karl Kruszelnicki and is co-organiser of the Northern Rivers Electric Vehicle Forum. Bridie also owns a Tesla Model Y and has it available for hire on evee.com.au.