Expert Comment: Teen Claims To Have Hacked Dozens Of Teslas Worldwide

A 19-year-old claims to have hacked into more than 25 Tesla cars in 13 countries, saying in a series of tweets that a software flaw allowed him to access the EV pioneer’s systems.

David Colombo, a self-described information technology specialist, tweeted Tuesday that the software flaw allows him to unlock doors and windows, start the cars without keys and disable their security systems. Colombo noted that he could not drive the cars remotely.

Colombo also claimed he can see if a driver is present in the car:

https://www.seattletimes.com/business/teen-claims-to-have-hacked-dozens-of-teslas-worldwide/

https://www.bloomberg.com/news/articles/2022-01-12/teen-hacker-claims-to-have-taken-control-of-25-teslas-worldwide

Experts Comments

January 14, 2022
Morgan Whitlow
Sr. Security Researcher
GRIMM

From what has been said by Colombo both in the original posts to social media and within interviews, it sounds like this might have been a vulnerability in Tesla's mobile companion app or the related API.

Many of the commands and functions he mentions line up with the mobile app's features and capabilities; honking the horn, flashing the lights, unlocking the door, etc. This could explain how he's able to perform certain commands on vehicles without being able to say, drive it around like a toy

.....Read More

From what has been said by Colombo both in the original posts to social media and within interviews, it sounds like this might have been a vulnerability in Tesla's mobile companion app or the related API.

Many of the commands and functions he mentions line up with the mobile app's features and capabilities; honking the horn, flashing the lights, unlocking the door, etc. This could explain how he's able to perform certain commands on vehicles without being able to say, drive it around like a toy RC car, or having to be within a certain range; the app/API doesn't support that level of control.

If he's found a way to exploit the app/API, or to login as the customer, then he's essentially tricking Tesla's backend servers that he's the legitimate owner and they'll carry out any app-allowable command just the same as they would normally. That said, it's hard to say this with any certainty until we have more concrete information, but it'll be interesting to watch it unfold.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.