A teenage cybersecurity entrepreneur in Germany claims to have “full remote control” over more than 25 Tesla cars in 13 countries, including Switzerland.
The self-described IT security specialist and hacker made the claim via his Twitter account @David_colombo_ on Monday.
Colombo, who is the 19-year-old founder of Colombo Technology, said he could remotely run commands on the compromised vehicles without the owners’ knowledge. Actions that he can allegedly perform include disabling Sentry mode, opening the cars’ doors and windows, flashing their lights and even starting keyless driving.
The teen also claims to be able to query the exact location of the vehicle, check if the driver is present, and cause music to play on the Tesla’s sound system.
“I think it’s pretty dangerous if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway,” wrote Colombo on Twitter.
“Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers,” he added.
Colombo contacted Tesla to make them aware of the alleged issue, though he said a cybersecurity flaw in the cars did not cause it.
“This is not a vulnerability in Tesla‘s infrastructure,” wrote Colombo. “It’s the owners [sic] faults.”
While Colombo’s alleged access would make it possible for him to play a video to the owners of the compromised vehicles via YouTube and alert them to the issue, the teen was unwilling to take this step.
“I thought about honking and playing a video on the screen but that sounds a bit too intrusive to me,” he wrote.
Colombo wrote on Tuesday that Tesla’s security team had confirmed to him that they are investigating his claims and will keep him updated on their discovery.
The teen is currently putting together a write-up regarding the incident, which he will send to MITRE.
Colombo said he “will release it as soon as the vulnerability got [sic] reported to the affected owners and they were able to take appropriate measures.”
The teen said he hadn’t shared any evidence of his claim on Twitter because “that’s not how responsible disclosure works.”
Kevin Dunne, president at Pathlock, commented: “Automakers can benefit from adopting zero trust policies to ensure that they are not providing unnecessary privileges to any single device.
“Working from the basic assumption that all devices on the network will be compromised, if they haven’t been already, will inevitably lead to better overall security practices and lower risk.”