Business & MarketsCompanies

Hacker, 19, Claims He Was Able to Remotely Access 25 Tesla Vehicles Worldwide Due to Software Flaw

Save
Hacker, 19, Claims He Was Able to Remotely Access 25 Tesla Vehicles Worldwide Due to Software Flaw
File photo of an engineering student takes part in a hacking challenge near Paris on March 16, 2013. (AFP via Getty Images/file/Thomas Samson)
Katabella Roberts
1/12/2022
Updated:
1/12/2022

A 19-year-old security researcher in Germany claims he was able to remotely hack into more than 25 Tesla vehicles in 13 countries after discovering a software flaw in the company’s systems.

In a series on Twitter on Jan. 11, David Colombo claimed that he had been able to remotely access the vehicles and disable Sentry Mode—a feature that allows Tesla owners to monitor suspicious activities—unlock doors and windows, and start the cars without keys.

Colombo also claimed that he could query the driver’s exact location and see if they were present in the car, saying the list of things he could do was “pretty long.”

The teenager went on to state that the vulnerability wasn’t due to Tesla‘s infrastructure but was “the owners [sic] faults” and that he would “need to report this to the owners,” but he didn’t reveal the exact details of the software vulnerability.

While Colombo said he wasn’t able to remotely control steering, acceleration, or braking in the vehicles, he joked that he could “remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla’s.”

“Yes, I potentially could unlock the doors and start driving the affected Tesla‘s. No, I can not intervene with someone driving (other than starting music at max volume or flashing lights) and I also can not drive these Tesla’s remotely,” Colombo wrote on Twitter.

“I think it‘s pretty dangerous if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway. Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers,” Colombo said.

“That‘s why I would like to get this all fixed before I release any specific details regarding what exactly this all is about,” he said, adding that he had contacted MITRE, the American not-for-profit organization that provides engineering and technical guidance for the federal government.

Colombo said he was also in contact with the affected Tesla vehicle owners. He didn’t provide photographic or video evidence to support his claims.

In an updated Twitter post, Columbo said he'd been in contact with Tesla’s security team, who had confirmed they were investigating the incident and would update him. The MITRE Common Vulnerabilities and Exposures assignment team had also “reserved a CVE for it,” he said.

Colombo and Tesla haven’t responded to a request for comment.

Tesla vehicles have encountered a number of safety issues, including with their autonomous driving features.

In August last year, the National Highway Traffic Safety Administration opened a formal probe into Tesla’s Autopilot and full self-driving (FSD) systems following nearly a dozen crashes with parked emergency vehicles that left one person dead and injured 17 others. On Aug. 31, that investigation was expanded to cover a 12th incident (pdf).
In October, Tesla withdrew the latest version of its FSD beta software just one day after it was released after the company’s internal quality assurance found problems with some left turns at traffic lights.
Tesla has a vulnerability disclosure platform where security researchers can report legitimate vulnerabilities in Tesla vehicles and are rewarded with up to $15,000 for a qualifying vulnerability.