David Colombo, a 19-year-old cybersecurity researcher in Germany, came upon the biggest discovery of his young career by accident.
He was performing a security audit for a French company when he noticed something unusual: a software program on the company’s network that exposed all the data about the chief technology officer’s Tesla Inc. vehicle.
The data included a full history of where the car had been driven and its precise location at that moment.
But that wasn’t all. As Colombo dug deeper he realized that he could push commands to Tesla vehicles whose owners were using the program.
That capability enabled him to hijack some functions on those cars, including opening and closing the doors, turning up the music and disabling security features. (He couldn’t take over the cars’ steering, braking or other operations, however.)
The discovery, which Colombo published on Twitter this week, triggered a vigorous discussion online as the latest example of hacking risks associated with the so-called Internet of Things, where seemingly every product — from refrigerators to doorbells — now have an internet connection.
“I’m not sure I would send that tweet again,” said Colombo, who began programming when he was 10.
“The response was crazy. Somewhere in the comments I have pro- and anti-Tesla arguing very heatedly. It just got blown up so much.”
Colombo said he found more than 25 Teslas in 13 countries throughout Europe and North America that were vulnerable to attack, and that subsequent analysis indicated there could have been hundreds more.
The flaws aren’t in Tesla’s vehicles or the company’s network but rather in a piece of open-source software that allows them to collect and analyze data about their own vehicles.
Tesla didn’t respond to requests for comment.
Colombo said a member of the company’s security team contacted him and that he shared his findings.
A spokesperson for the U.S. National Highway Traffic Safety Administration said it has been in contact with Tesla about the matter and that the agency’s cybersecurity technical team would assist with the evaluation and review of the information.
Colombo provided screenshots and other documents…