We have further proof that nearly anything can be hacked. A teenager boasted this week that he had hacked 25 Tesla cars around the world and gained remote access without their owners ever knowing.
David Columbo, the 19-year-old self-proclaimed IT security specialist and hacker, announced his gambit via a Twitter thread Monday and Tuesday. He said he’s keeping mum on how he pulled off his coup until he reports the vulnerability to the non-profit Mitre, a federally funded research and development non-profit that tackles safety and stability challenges. However, Columbo did say it was due to errors on the owners’ part, not a security flaw in Tesla’s software.
Tesla’s security team told Columbo they’re looking into the situation.
The ripple effect
With his newfound power, Columbo said he could do everything from identifying the exact location of each car to disabling the vehicle’s security system, opening its doors and windows, and even playing music and YouTube videos. The only thing Columbo couldn’t apparently do was remotely drive the cars, but by knowing where the cars were located, he could theoretically steal them if he wanted to.
Columbo’s escapade may have only directly affected 25 Tesla vehicles, but the ripple effect was actually much larger – especially for those vehicles' owners. “So, I now have full remote control of over 20 Teslas in 10 countries and there seems to be no way to find the owners and report it to them,” Columbo said.
The next ripple came from TezLab, an app that gives Tesla owners “quick controls, stats and everything charging.” The app maker reported that as the hack’s effect spread, it saw the simultaneous expiration of up to a million Tesla authentication tokens. TezLab members were told that they would need to sign in again to re-establish the connection to their vehicles.
“We apologize for any inconvenience,” the company tweeted – a comment that Columbo mimicked in his own response.