A teenager in Germany has claimed he has taken over more than 20 Tesla vehicles in 10 countries via a software vulnerability.

Researcher David Colombo, aged 19, revealed the hack on Twitter, but was quickly to point out that the fault was not down to Tesla, but rather the owners of the affected Tesla EVs who are using third party software that holds their personal data.

The flaw is said to allow Colombo to unlock doors and windows, flash the lights, start the cars without keys and even disable security systems.

He also tweeted the vulnerability lets him use the internal Tesla cameras to spy on the driver, or play music at full volume.

Tesla’s pricier Model S. Image credit: Tesla

Remote control

Colombo made the revelation of the remote hack in a Twitter thread on Monday.

“So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…” he tweeted.

“Since these important facts seem to drown between other comments, I‘ll add them here again,” he added. “This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.”

Colombo has reportedly contacted Tesla, which is now investigating the matter.

Colombo told Daily Mail that “it is not a vulnerability in Teslas infrastructure but indeed caused by the Tesla owners and a third party,” he said.

“I’m in contact with the Tesla Product Security Team as well as the third party maintainer to coordinate disclosure and get the affected owners notified as well as a mitigation/patch for the vulnerability rolled out,he added.

The issue is said to down to third party software and how it stores the Tesla owner’s information that is needed to link the cars to the program.

Compromised software

Colombo did not reveal which software program was at fault, but Twitter users have speculated which software might be responsible.

Developer Tyler Corsair for example speculated it could be down to incorrectly configured open-source project called Teslamate.

Teslamate is a self-hosted data logger and visualisation tool for a user’s Tesla.

“These owners utilised an open-source project called Teslamate and then configured it incorrectly (partially the dev’s fault for setting bad default configurations) so that anyone could access it remotely,” he tweeted.

Corsair then posted several updates from similar third-party software companies, stating they had seen Tesla accounts disconnect from the service – all of which was due to Colombo infiltrating the systems.

These include TezLab, TeslaFi, TeslaTip and keemut.

So if a person’s Tesla seems to be acting strangely, it may be time for the driver to check what third party software programs they are using.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Microsoft Xbox Marketing Chief Leaves For Roblox

Microsoft loses Xbox marketing chief amidst executive changes in company's gaming division, broader layoffs and…

21 hours ago

YouTube Test Community ‘Notes’ Feature For Added Context

YouTube begins testing Notes feature that allows selected users to add contextual information to videos,…

22 hours ago

FTC Sues Adobe Over Hidden Fees, Termination ‘Resistance’

US regulator sues Photoshop maker Adobe over large, hidden termination fees, intentionally difficult cancellation process

22 hours ago

Tencent To Ban AI Avatars From Livestream Commerce

Chinese tech giant Tencent to ban AI hosts from livestream video platform as it looks…

23 hours ago

TikTok US Ban Appeal Gets 16 September Court Date

Action by TikTok, ByteDance and creators against US ban law gets 16 September hearing date,…

23 hours ago

US Surgeon General Calls For Warning Labels On Social Media

US surgeon general calls for cigarette-style warning labels to be shown on social media advising…

1 day ago