A 19-year-old German hacker claims he can remotely unlock the doors and windows of a Tesla electric car. He can even do this practice on more than 25 Tesla vehicles made by Elon Musk's company, which are spread in 13 countries in the world.
In addition to the doors and windows, the teenager named David Colombo also claimed he was able to turn on the headlights, radio, and even start the Tesla car engine, even though he didn't have the key.
Colombo, an IT specialist in Germany, also claims to be able to deactivate Tesla's anti-theft system, and see the driver who is in the car.
However, Colombo said he couldn't hijack a car by remotely controlling the Tesla car's steering, gas and brakes. He revealed all this through his personal Twitter account.
So, I now have full remote control of over 20 Tesla's in 10 countries and there seems to be no way to find the owners and report it to them…
“Yes, I can unlock doors and drive a Tesla that I hacked,” Colombo was quoted as saying by the New York Post.
But he admitted that he could not do the action if someone was driving the Tesla car.
“I can't access it if someone is driving it (other than playing music, volume, or turning on the lights), and I also can't drive this Tesla car remotely,” continued Colombo.
Not a bug in Tesla, but the fault of the vehicle owner
According to Colombo, the hack he was able to do was not due to a vulnerability in Tesla's infrastructure, but the fault of the vehicle owner. However, he admitted that he could not find a way to contact the owner of the affected car to convey his findings.
Only three Tesla car owners can be reached by Colombo, namely in Germany, the United States (US), and Ireland. One of them even allowed Colombo to remotely honk its car horn to confirm its vulnerability.
“I would like to report it to the relevant owner, because otherwise, maybe someone with malicious intent will discover the vulnerability of that system and do some nasty stuff. Imagine someone could climb into a Tesla, unlock it and take it for a ride,” Colombo said.
Tesla has so far not responded, but a Tesla official contacted Colombo and said the company was investigating the matter.
Meanwhile to Bloomberg, Colombo shared screenshots (screenshots) and other documents detailing some of its findings and identifying third-party app makers affected by the hack.
At the same time, Tesla's third-party app, TezLab, reported thousands of expired Tesla authentication tokens.
To note, TezLab leverages Tesla's API to allow apps to do various things, such as access car systems, enable or disable anti-theft systems, unlock doors, open windows, and more.
However, it is not yet known whether this TezLab is being used by Colombo to remotely access Tesla cars.