A 19-year-old hacker and security researcher said he was able to control some features of dozens of Tesla cars all over the world thanks to a vulnerability in a third-party app that allows car owners to track their car’s movements, remotely unlock doors, open windows, start keyless driving, honk, and flash lights.
David Colombo, the researcher who found the issue, asked Motherboard not to reveal all the details about his findings—such as the name of the third-party app—given that some of the vulnerabilities he discovered are yet to be fixed. Colombo allowed Motherboard to review his upcoming blog post, which contained the details.
“There are those Teslas around the world right now in 13 countries and I'm able to disable the sentry mode, unlock the doors, start keyless driving, and take them on a road trip,” Colombo told Motherboard in an interview.
Crucially, he said he cannot control the most important functions of the cars remotely, such as steering, accelerating, and braking. But he could still wreak some havoc.
“I think it can also lead to some potentially somewhat dangerous situations on the road, if you're like driving on the highway, and then randomly, someone starts blasting music at max volume or stuff like this,” he said.
Colombo explained that other than controlling some of the cars’ functions, he was also able to see a whole lot of sensitive data, such as the name that the owner gave to their Tesla, its current location, the precise routes the car took in the last few days, the speed of the car, and more.
The first time he discovered this data, Colombo was surprised.
“I was able to see where this guy was driving around,” Colombo said. “I was like, yes, sorry, what the hell I shouldn't be able to see that.”
Then he said he scanned the internet for more instances of this and found more than 125 Teslas around the world, in countries such as Germany, Belgium, Finland, Denmark, the UK, the U.S., Canada, and China.
Obviously, the biggest risk was for someone to abuse the vulnerability to locate a Tesla, go to its location, and unlock it via the vulnerable third-party open source application. Colombo said he has been working with the maintainer of the third-party app to fix the flaws.
Do you research vulnerabilities on Teslas or other cars? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
Tesla did not respond to a request for comment sent to several email addresses, including the company’s investor relations inbox, the press inbox, and one to report security vulnerabilities.
Colombo stressed that the issues he found are not Tesla’s fault. The only Teslas that were exposed were those whose owners used a specific third-party app. Without getting too specific, the crux of the issue was that the third-party app communicates with Tesla to pull the car owner’s data through the company’s API. The problem is that the app exposes the private API key of many owners to the internet, where everyone who knows where to look—like Colombo—can find it.