A teen hacker from Germany claims that he has gained access to and control some functions on more than two dozen Tesla vehicles around the world.
The access was not gained because of a vulnerability in Tesla’s infrastructure, but rather due to the owners’ use of third party services and API keys.
In a thread on Twitter, 19 year old David Colombo (@david_colombo_) says he can remotely run commands on more than 25 Teslas in 13 countries around the world.
With access to these cars, Colombo says he can disable Sentry Mode, unlock the doors, open the windows, and start the car with remote keyless driving, all without the owner’s knowledge.
He can also see the car’s exact location. In a discussion with Drive Tesla, Colombo confirmed at least one of the affected cars is in Kitchener, Ontario.
Fortunately the hacker says he has no intentions of using his new powers for evil, but instead wants to contact the owners to let them know to better secure their accounts.
Unfortunately he hasn’t been able to figure out a way to do this yet, but has already submitted his concerns MITRE’s CVE program, which works to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
UPDATE 9:42am PST: Colombo has confirmed with us that he is now coordinating with Tesla’s Product Security Team to notify the affected owners.
While Colombo was obviously unable to share the specifics with Drive Tesla, one obvious way in which you can better secure your account is to use Multi-Factor Authentication (MFA).
Tesla released this long overdue feature last year, adding an extra layer of security to your account. You can read more about MFA here.
Editors note: this article has been updated to clarify the vulnerability is due to the use of third-party services and API tokens.
That‘s why I would like to get this all fixed before I release any specific details regarding what exactly this all is about.
– Waiting for MITRE‘s reply regarding a CVE
– Preparing my Writeup
– Coordinating disclosure to affected owners with Tesla
— David Colombo (@david_colombo_) January 11, 2022