David Colombo, a teenage hacker and IT security researcher, discovered a way to remotely interact with and control 25+ Tesla electric vehicles in 13+ countries, according to his Jan. 11 Twitter thread.
Colombo explained in the thread that the flaw was “not a vulnerability in Tesla’s infrastructure. It’s the owners’ fault.”
The teen hacker claimed that he was able to disable the vehicles’ remote camera system, unlock doors and open windows, and even begin keyless driving. He was also able to find the cars’ exact location.
“The list is pretty long,” Colombo said. “And yes, I also could remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla‘s.”
However, Colombo clarified that he could not actually interact with any of the Teslas’ steering, throttle, or brakes through this bug. So, in this case, Tesla owners don’t need to worry about their vehicles remotely being driven away.
Colombo said that he relayed the issue to Tesla’s security team, which is currently investigating the matter.
“I think it‘s pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway,” Colombo Tweeted. “Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers. That‘s why I would like to get this all fixed before I release any specific details regarding what exactly this all is about.”
Relatedly, a third-party Tesla app called TezLab reported on Jan. 12 that it saw the “simultaneous expiry of several thousand Tesla authentication tokens from Tesla’s side.” TezLab’s app utilizes Tesla APIs that allow apps to perform functions like logging into the car and enabling or disabling the anti-theft camera system, unlocking the doors, opening the windows, and more.