A teenager in Germany has claimed he has taken over more than 20 Tesla vehicles in 10 countries via a software vulnerability.

Researcher David Colombo, aged 19, revealed the hack on Twitter, but was quickly to point out that the fault was not down to Tesla, but rather the owners of the affected Tesla EVs who are using third party software that holds their personal data.

The flaw is said to allow Colombo to unlock doors and windows, flash the lights, start the cars without keys and even disable security systems.

He also tweeted the vulnerability lets him use the internal Tesla cameras to spy on the driver, or play music at full volume.

Tesla’s pricier Model S. Image credit: Tesla

Remote control

Colombo made the revelation of the remote hack in a Twitter thread on Monday.

“So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…” he tweeted.

“Since these important facts seem to drown between other comments, I‘ll add them here again,” he added. “This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.”

Colombo has reportedly contacted Tesla, which is now investigating the matter.

Colombo told Daily Mail that “it is not a vulnerability in Teslas infrastructure but indeed caused by the Tesla owners and a third party,” he said.

“I’m in contact with the Tesla Product Security Team as well as the third party maintainer to coordinate disclosure and get the affected owners notified as well as a mitigation/patch for the vulnerability rolled out,he added.

The issue is said to down to third party software and how it stores the Tesla owner’s information that is needed to link the cars to the program.

Compromised software

Colombo did not reveal which software program was at fault, but Twitter users have speculated which software might be responsible.

Developer Tyler Corsair for example speculated it could be down to incorrectly configured open-source project called Teslamate.

Teslamate is a self-hosted data logger and visualisation tool for a user’s Tesla.

“These owners utilised an open-source project called Teslamate and then configured it incorrectly (partially the dev’s fault for setting bad default configurations) so that anyone could access it remotely,” he tweeted.

Corsair then posted several updates from similar third-party software companies, stating they had seen Tesla accounts disconnect from the service – all of which was due to Colombo infiltrating the systems.

These include TezLab, TeslaFi, TeslaTip and keemut.

So if a person’s Tesla seems to be acting strangely, it may be time for the driver to check what third party software programs they are using.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Google Sued For Use Of NHS Data Of 1.6 Million Brits

Lawsuit alleges Google and Deepmind Technologies used NHS data of 1.6 million Britons 'without their…

8 hours ago

Twitter Sees Three More Executive Departures

Three executives apparently jump ship. More high level departures at Twitter, ahead of Elon Musk's…

10 hours ago

Apple Delays Staff Mandate For Three Days A Week In Office – Report

Tech giant blames rising Covid cases as it again pushes back return to office deadline,…

13 hours ago

Tesla Bluetooth Locks Can Be Hacked, Warns NCC Group

Digital locks, including those fitted to Tesla vehicles, are vulnerable to being unlocked via an…

15 hours ago

Twitter Board To ‘Enforce’ Elon Musk Merger Agreement

Legal action ahead? Elon Musk's takeover agreement of Twitter will be enforced says board of…

16 hours ago