Researcher Gains Remote Control Of More Than 20 Teslas

A teenager in Germany has claimed he has taken over more than 20 Tesla vehicles in 10 countries via a software vulnerability.

Researcher David Colombo, aged 19, revealed the hack on Twitter, but was quickly to point out that the fault was not down to Tesla, but rather the owners of the affected Tesla EVs who are using third party software that holds their personal data.

The flaw is said to allow Colombo to unlock doors and windows, flash the lights, start the cars without keys and even disable security systems.

He also tweeted the vulnerability lets him use the internal Tesla cameras to spy on the driver, or play music at full volume.

Remote control

Colombo made the revelation of the remote hack in a Twitter thread on Monday.

“So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…” he tweeted.

“Since these important facts seem to drown between other comments, I‘ll add them here again,” he added. “This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.”

Colombo has reportedly contacted Tesla, which is now investigating the matter.

Colombo told Daily Mail that “it is not a vulnerability in Teslas infrastructure but indeed caused by the Tesla owners and a third party,” he said.

“I’m in contact with the Tesla Product Security Team as well as the third party maintainer to coordinate disclosure and get the affected owners notified as well as a mitigation/patch for the vulnerability rolled out,he added.

The issue is said to down to third party software and how it stores the Tesla owner’s information that is needed to link the cars to the program.

Compromised software

Colombo did not reveal which software program was at fault, but Twitter users have speculated which software might be responsible.

Developer Tyler Corsair for example speculated it could be down to incorrectly configured open-source project called Teslamate.

Teslamate is a self-hosted data logger and visualisation tool for a user’s Tesla.

“These owners utilised an open-source project called Teslamate and then configured it incorrectly (partially the dev’s fault for setting bad default configurations) so that anyone could access it remotely,” he tweeted.

Corsair then posted several updates from similar third-party software companies, stating they had seen Tesla accounts disconnect from the service – all of which was due to Colombo infiltrating the systems.

These include TezLab, TeslaFi, TeslaTip and keemut.

So if a person’s Tesla seems to be acting strangely, it may be time for the driver to check what third party software programs they are using.