A 19-year-old security researcher claims to have hacked remotely into more than 25 Tesla cars in 13 countries, saying in a series of tweets that a software flaw allowed him to access the EV pioneer’s systems.
David Colombo, a self-described information technology specialist from Germany, tweeted Tuesday that the software flaw allows him to unlock doors and windows, start the cars without keys, and disable their security systems.
The teenager didn’t reveal the exact details of the software vulnerability, but said it wasn’t within Tesla’s software or infrastructure, and added that only a small number of Tesla owners globally were affected. His Twitter thread elicited a robust response, with more than 800 retweets and over 6,000 likes.
“It’s primarily the owners (& a third party) fault,” Colombo said in a response to questions from Bloomberg News. “This will be described more in detail in my writeup. But glad to see Tesla taking action now.”
According to one online report, U.S.-based Tesla has a vulnerability disclosure platform where security researchers can register their own vehicles for testing, which Tesla can pre-approve. The company pays up to $15,000 for a qualifying vulnerability.
Colombo added: “I think it’s pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway. Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.”
Colombo also clarified he had not gained ‘full remote control’ as previously stated, as he would be unable to ‘intervene with someone driving (other than starting music at max volume or flashing lights’.
“I also cannot drive these Teslas remotely,” he said.
Later in the thread, Colombo shared an update to say that Tesla’s security team had confirmed ‘they’re investigating’ and would get back to him with more information as soon as they had it.