Share this article on:
A 19-year-old hacker and security researcher found flaws in a third-party open-source app that allowed him to track and unlock some Teslas.
David Colombo, a 19-year-old hacker and security researcher was able to control some features of dozens of Tesla cars all over the world thanks to a vulnerability in a third-party app that allows car owners to track their car’s movements, remotely unlock doors, open windows, start keyless driving, honk and flash lights according to VICE publication Motherboard.
Colombo asked Motherboard not to reveal all the details about his findings – such as the name of the third-party app – given that some of the vulnerabilities he discovered are yet to be fixed, however, he allowed Motherboard to review his upcoming blog post, which contained the details.
“There are those Teslas around the world right now in 13 countries and I'm able to disable the sentry mode, unlock the doors, start keyless driving, and take them on a road trip,” Colombo told Motherboard in an interview.
Crucially, Columbo said he cannot control the most important functions of the cars remotely, such as steering, accelerating and braking, but he could still wreak some havoc.
"I think it can also lead to some potentially somewhat dangerous situations on the road, if you're like driving on the highway and then randomly, someone starts blasting music at max volume or stuff like this," he said.
Colombo explained that other than controlling some of the cars’ functions, he was also able to see a whole lot of sensitive data, such as the name that the owner gave to their Tesla, its current location, the precise routes the car took in the last few days, the speed of the car and more.
The first time he discovered this data, Colombo was surprised.
"I was able to see where this guy was driving around," Colombo said.
"I was like, yes, sorry, what the hell, I shouldn't be able to see that."
Then Columbo said he scanned the internet for more instances of this and found more than 125 Teslas around the world, in countries such as Germany, Belgium, Finland, Denmark, the UK, the US, Canada and China.
Obviously, the biggest risk was for someone to abuse the vulnerability to locate a Tesla, go to its location and unlock it via the vulnerable third-party open-source application.
Colombo said he has been working with the maintainer of the third-party app to fix the flaws.
According to Motherboard, Tesla did not respond to a request for comment sent to several email addresses, including the company’s investor relations inbox, the press inbox and one to report security vulnerabilities.
Colombo stressed that the issues he found are not Tesla’s fault.
The only Teslas that were exposed were those whose owners used a specific third-party app. Without getting too specific, the crux of the issue was that the third-party app communicates with Tesla to pull the car owner’s data through the company’s API.
The problem is that the app exposes the private API key of many owners to the internet, where everyone who knows where to look, like Colombo, can find it.
[Related: Russian officials arrest REvil ransomware gang members at US request]