September 22, 2023

A 19-year-old hacker and security researcher David Colombo, said he was able to control some features of dozens of Tesla cars all over the world thanks to a vulnerability in a third-party app that allows car owners to track their car’s movements, remotely unlock doors, open windows, start keyless driving, honk, and flash lights. 

There are those Teslas around the world right now in 13 countries and I’m able to disable the sentry mode, unlock the doors, start keyless driving, and take them on a road trip

Colombo statement

He said he cannot control the most important functions of the cars remotely, such as steering, accelerating, and braking. But he could still wreak some havoc.

Advertisements

Colombo explained that other than controlling some of the cars’ functions, he was also able to see a whole lot of sensitive data, such as the name that the owner gave to their Tesla, its current location, the precise routes the car took in the last few days, the speed of the car, and more. 

Then he said he scanned the internet for more instances of this and found more than 125 Teslas around the world, in countries such as Germany, Belgium, Finland, Denmark, the UK, the U.S., Canada, and China. 

The biggest risk was for someone to abuse the vulnerability to locate a Tesla, go to its location, and unlock it via the vulnerable third-party open source application. Colombo said he has been working with the maintainer of the third-party app to fix the flaws. 

Tesla did not respond to a request for comment sent to several email addresses, including the company’s investor relations inbox, the press inbox, and one to report security vulnerabilities. 

Advertisements

Colombo stressed that the issues he found are not Tesla’s fault. The only Teslas that were exposed were those whose owners used a specific third-party app. Without getting too specific, the crux of the issue was that the third-party app communicates with Tesla to pull the car owner’s data through the company’s API.

Leave a Reply

%d bloggers like this: