A 19-year-old said he’s found flaws in a piece of third-party software that appears to be used by a relatively small number of owners of Tesla Inc. cars that could allow hackers to remotely control some of the vehicles’ functions.
David Colombo, a self-described information technology security specialist, tweeted Tuesday that the flaws gave him the ability to unlock doors and windows, start the cars without keys, and disable their security systems.
Colombo, who is based in Germany, also claimed he can see if a driver is present in the car, turn on the vehicles’ stereo sound systems and flash their headlights.
In an interview, Colombo provided screenshots and other documentation of his research that identified the maker of the software and gave details of the vulnerabilities. He asked that Bloomberg not publish specifics because the affected organization hasn’t yet published a fix. Colombo said he could access more than 25 Teslas in at least 13 countries, and he took to Twitter when he wasn’t able to contact most of the owners directly.
The problem involves an insecure way the software stores sensitive information that’s needed to link the cars to the program, Colombo said. In the wrong hands, that information could be stolen and repurposed by hackers to send malicious commands to the cars, he said. He showed Bloomberg screenshots of a private conversation over Twitter where one of the affected owners allowed him to remotely honk his car’s horn.
“This shouldn’t happen,” Colombo said. “Especially if we’re putting cars on the internet and trying to make them secure. Everyone needs to work together.”
His Twitter thread drew more than 900 retweets and more than 6,000 likes.
A representative for Tesla in the U.S. and elsewhere didn’t respond to requests for comment.
A self-described Tesla fan, Colombo said he started coding when he was 10 years old. Frustrated with high school coursework, his father helped him petition German authorities to let him go to school two days per week and spend the rest of his time expanding his cybersecurity skills. He also developed a company called Colombo Technology.
Like many technology companies, U.S.-based Tesla has a “bug bounty” program where cybersecurity researchers can report vulnerabilities in the company’s products and, if validated, receive payment. The company said it shares information and engages with third-party organizations when vulnerabilities affect their products.
Colombo said that he has been in touch with members of Tesla’s security team and the maker of the third-party software. The discovery highlights some of the risks of moving to the so-called Internet of Things, where everything from automobiles to refrigerators are connected online -- and thus become potentially vulnerable to hacking threats.
“Just don’t connect critical stuff to the internet,” he said. “It’s very simple. And if you have to then make sure it is set up securely.”