On Tuesday 11 January, 19-year-old David Colombo, a self-described “information technology security specialist and hacker,” wrote on Twitter that he had found flaws in a piece of third-party software used by a relatively small number of owners of Tesla cars, meaning that hackers could remotely control some of the vehicles’ functions.

So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…

— David Colombo (@cyber_colombo) January 10, 2022

According to Colombo, the flaws gave him the ability to unlock doors and windows, start the cars without keys and even disable their security systems. He also claimed that he could see if a driver is present in the car, turn on the vehicles’ stereo sound systems and flash their headlights.

In other words, hacking into the third-party software in question offered him the chance to control pretty much what he wants in most Tesla cars. Considering the fact that a Massachusetts Institute of Technology (MIT) study confirmed that Tesla’s autopilot is unsafe back in September 2021, this potential addition to the infamous cars’ list of dangers came as yet another blow to Elon Musk’s company.

In an interview with Bloomberg, Colombo provided screenshots and other documentation of his research that identified the maker of the software and gave more details on the vulnerabilities it presents. He asked that the publication not publish specifics however, because the affected company had not published a fix at the time of writing. On Twitter, Colombo added that he could access more than 25 Teslas in at least 13 countries, which is why he decided to share this information on the social media platform when he wasn’t able to contact most of the owners directly.

Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.

Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.

[2/X]

— David Colombo (@cyber_colombo) January 11, 2022

‘So what’s wrong exactly?’ some of you might be wondering. According to what Colombo told Bloomberg, “the problem involves an insecure way the software stores sensitive information that’s needed to link the cars to the program.” While it truly depends on who can access such information, in the wrong hands, it could be stolen and repurposed by hackers to send malicious commands to the cars, he continued to explain. He even showed Bloomberg screenshots of a private conversation he had on Twitter with one of the affected owners, who allowed him to remotely honk his car’s horn.

Since then, Colombo has been in touch with members of Tesla’s security team as well as with the maker of the third-party software. Tesla has a “bug bounty” programme where cybersecurity researchers can report vulnerabilities in the company’s products and, if validated, receive payment.

Addition as of 11. Jan 22:33 (CET)

Tesla‘s Security Team just confirmed to me they’re investigating and will get back to me with updates as soon as they have them.

[8/8]

— David Colombo (@cyber_colombo) January 11, 2022

This latest discovery goes to show some of the remaining risks of moving to the so-called ‘Internet of Things’, where everything is connected online—thus becoming potentially vulnerable to hacking threats. “Just don’t connect critical stuff to the internet,” Colombo advised. “It’s very simple. And if you have to, then make sure it is set up securely.”