3rd-party flaws allowed a teen hacker to track location of Tesla cars

The security researcher made a startling revelation that he could access more than 25 Tesla vehicles in around 13 countries by exploiting the flaw.

A Germany-based teenager proclaimed in a tweet that he had identified security vulnerabilities in third-party software used in Tesla cars that allow him to take control of key functions of the car, such as unlocking windows/doors, starting the car, and disabling their security system.

Details of the Flaw

According to David Colombo (19), who claims to be an IT security specialist, he identified flaws in third-party software, which a small number of Tesla car owners use. The flaws allow hackers to take control of some of the car’s functions remotely.

Apart from controlling the car’s security system, windows/doors, Colombo stated in his tweet posted on Tuesday that he can identify if there’s someone present on the driving seat, flash the car’s headlights, disable Sentry mode, and turn on the stereo system.

Colombo noted that it is “pretty dangerous” if a remote hacker can turn the volume up and down or open the door or windows when the car is driven on the highway.

“I could also query the exact location, see if a driver is present, and so on. The list is pretty long. And yes, I also could remotely rickroll the affected owners by playing Rick Astley on Youtube in their Teslas…”

“Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers,” Colombo’s tweet read.

25 Teslas across 13 countries were accessable

Colombo made a startling revelation that he could access more than 25 Tesla vehicles in around 13 countries by exploiting the flaw.

19-year-old hacked Tesla cars through third-party software flaw — Tweets from the hacker

“Nevertheless I now can remotely run commands on 25+ Teslas in 13 countries without the owners’ knowledge. Regarding what I‘m able to do with these Teslas now. This includes disabling Sentry Mode, opening the doors/windows, and even starting Keyless Driving…” Colombo’s tweet revealed.

However, he noted that he decided to post about the issue on Twitter only after he couldn’t contact most car owners directly. He shared screenshots and other proof of his research and has informed the automaker about the name of the software vendor as well as the vulnerabilities’ details.

According to Colombo’s follow-up tweet, Tesla’s Security Team is informed about the issue and working to resolve it. Nevertheless, Colombo confirmed that he couldn’t interact with the steering, brakes, or throttle. He also clarified that the vulnerability wasn’t in Tesla’s infrastructure but was the owners’ fault.

In an conversation with Hackread,com, Lotem Finkelsteen, Head of Threat Intelligence and Research for Check Point Software Technologies said that,

“Reports that a young German hacker, David Colombo has been able to hack into a number of Tesla cars is sending shockwaves through the automotive industry and taps into our worst fears like our vehicle being taken over by a stranger while we are driving at 70mph! Looking into this is in a little more detail, this is not quite at that threat level but worthy of our attention, nonetheless.”

“Colombo was not able to take control of any vehicles in that sense but claimed he was able to control some peripheral devices on 25 poorly maintained Teslas like the volume of the sound system, windows and lights and critically he was not able to execute code on any of the compromised cars and certainly was not able to get into the drive control system. He reported the hack to Tesla and they are investigating. Colombo says this is not an inherent vulnerability in Tesla and that car owners should be able to block his intrusive access,” Lotem highlighted.

“I would challenge this conclusion. Can we really expect users to be familiar with the software configuration of a complex and highly technically advanced product like a modern automobile? Surely cars, of all things need to be secure ‘out of the box’ and secure to the highest standards. It should not be possible for the driver to allow remote access to their vehicle either by a given action or indeed inaction,” Lotem added

“That said, I can foresee a future where users will need to assume some responsibility for the cyber safety of their vehicles. If, God forbid, a hacker took control of your car and you had an accident, it would not matter whose fault it was that the car was not secured, you would want to do everything in your power to prevent it,” warned Lotem.

“Sure, we expect manufacturers to provide a fully secure vehicle but our experience in cyber tells us this is not something that can be 100% guaranteed for ever. In the same way that we expect to be proactive in protecting our laptops and phones I suspect we will need to take a more hands-on approach to ensuring our cars are protected from cyber-attacks. Indeed, when the lives of ourselves and our families are in danger, users will start to demand a level of personal control over such risks.” Lotem concluded.