A red Tesla Model 3 in a showroom.
A Tesla Model 3 is displayed at the Tesla Experience store in Joy City, Yantai, East China's Shandong Province, Oct 17, 2021.Tang Ke/Costfoto/Barcroft Media via Getty Images
  • A 19-year-old said he was able to hack into over 25 Teslas via a bug in a popular data tool.
  • David Colombo's tweet about the issue went viral, but he waited to reveal the vulnerability until it was fixed.
  • Tesla and the third-party tool pushed updates after Colombo contacted them regarding the issue.

A 19-year-old security researcher said he was able to hack into over 25 Teslas from around the world.

On Monday, David Colombo published a blog post explaining how he was able to remotely hack into the cars via security bugs in TeslaMate, a popular open source logging tool that tracks anything from the Tesla's energy consumption to location history. 

The teenager from Dinkelsbühl, Germany first revealed news of the vulnerability on Twitter earlier in January, but waited to fully detail the issue until the bugs had been fixed.

 

Colombo said the vulnerability allowed him to remotely access multiple Tesla features, including unlocking doors and windows, and starting keyless driving. The teen also said he could turn on the stereo or honk the horn, as well as view the car's location and whether the driver was present. However, he said he does not believe it would be possible to move the vehicle remotely.

"There should be no way at all that someone could literally walk up to some Teslas they do not own and take them for a drive," Colombo said in his blog post on Medium. "I also think it potentially could result in some dangerous situations on the road. For example, if someone with remote access starts blasting music on max volume while the driver is on the highway, or randomly and uncontrollable remotely flashing the lights of the Teslas at night."

Colombo explained that the security issue revolved around how TeslaMate stored sensitive information that's needed to link the program to the car. The cybersecurity researcher explained that the information, including the car's API Key, could be repurposed to remotely send commands to the exposed Teslas and allow hackers to retain long-term access to the cars without the driver's knowledge.

Colombo said he first became aware of the vulnerability in one Tesla in October and was able to contact the owner. He found over 20 more vulnerable Teslas in January, but faced difficulty contacting the owners. 

In his efforts to alert Tesla owners to the issue, Colombo also found a flaw in the carmaker's software for its digital car key that allowed him to learn a Tesla owner's email address.

After privately reporting the issues to TeslaMate, as well as Tesla's security team, the third party tool pushed a software fix and Tesla's security team revoked all affected access tokens, as well as notified the owners. TeslaMate and a Tesla spokesperson did not respond to a request for comment from Insider, but TeslaMate told TechCrunch that the company pushed out the update within hours of receiving Colombo's email. 

The German security researcher isn't the first to hack a Tesla. Last year, two researchers showed how a drone could launch an attack via WiFi and open a Tesla's doors. In 2020, another researcher managed to hack into a Tesla's keyless entry system in 90 seconds by spoofing the signal.

Read the original article on Business Insider