Teen hacker claims to have control of 25 Tesla vehicles worldwide

12 Jan 2022

Image: © jetcityimage/Stock.adobe.com

The 19-year-old hacker said he can control various functions on these vehicles and has informed Tesla’s security team.

A teen hacker from Germany has claimed to have found a way to take partial control of more than 25 Tesla cars in 13 countries around the world.

David Colombo is a self-described IT security specialist and hacker who made the claim on Monday (10 January). The 19-year-old hacker said on Twitter that he could remotely disable the sentry mode protection on these EVs, open windows and doors, control the music, the vehicle lights and start keyless driving.

While he doesn’t claim to have full control of the Tesla vehicles, Colombo said the list of things he can do is “pretty long”.

“I think it’s pretty dangerous if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway,” he tweeted. “Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.”

The teen hacker said this is not a flaw in Tesla’s infrastructure and is the fault of the owners of the vehicles. He added that he wants to “get this all fixed” before he releases specific details on how he took control of these vehicles.

Colombo said Tesla’s security team have confirmed they are investigating the issue and a common vulnerabilities and exposures (CVE) security team from Mitre have “reserved a CVE” for this issue.

TezLab, the companion app for Tesla EVs, said on its Twitter page this morning (12 January) that thousands of authentication tokens simultaneously expired and that many TezLab members will need to sign in again to re-establish connection to their vehicles. Colombo shared this statement and said: “I apologise for the inconvenience.”

Tesla runs a bug bounty programme through BugCrowd, a vulnerability disclosure platform where security researchers can submit potential issues with products and services. The company offers up to $15,000 for a qualifying vulnerability.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com