Honey, my Tesla is in Timbuktu: Teen hacker discovers Tesla security flaw

German cybersecurity researcher David Colombo stunned Tesla this week when he discovered a remote control security flaw in a third-party app that can access the EV maker’s electric car software, then promptly hacked 25 Tesla cars in 13 countries.

In what has been described as “the biggest discovery of his young career,” the 19 year-old shared his finding on Twitter, because thankfully he was not a malicious hacker.

Some questioned the motive of the young cybersecurity expert, but Colombo says he only sent commands to cars with owner’s permissions.

In fact, he was very concerned that he was not able to alert the owners that he had hacked their cars. According to him, it was not a Tesla software fault but a flaw introduced by the car owners, themselves.

“This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners’ faults. That’s why I would need to report this to the owners as stated above,” he said.

“Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge. Regarding what I‘m able to do with these Tesla’s now, this includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.”

“I could also query the exact location, see if a driver is present and so on. The list is pretty long,” he said.

He also joked that he could “Rick-roll” the Tesla owners (a colloquial term for playing musician Rick Astley’s “Never Gonna Give You Up” randomly to prank people).

Comedian Conan O’Brien also jumped in on the joke, saying on Twitter on Friday (Australia time) that it explained why his car was driving through Bucktail, Nebraska (a non-existent location that, as with Timbuktu, is meant to equate to “the middle of nowhere”.)

But on a serious note, Colombo clarified on Twitter that the hack he’d discovered did not allow complete remote control of the Tesla cars, such as steering, acceleration and braking.

However, it could still allow a potential hacker to turn music on and off, or flash the lights constantly, which in themselves could cause accidents if they distracted drivers from safe decision-making.

He said that the Tesla security team contacted him and would be getting back to him.

Last Friday, Colombo said he’d like to see Tesla implement different API scopes, referring to the ability to which an encrypted key allows one program to access another.