Connect with us

News

A hacker on Twitter says they took partial control of over 25 Tesla EVs

The hacker could control the lights, open windows, and more.

tesla steering wheel
Image: Unsplash

With Tesla’s claims that they’re a software company that just happens to make cars; it makes any potential security issue more egregious. Like this report from 19-year-old self-described “IT Security Specialist & Hacker,” David Colombo, who appears to have taken partial control of over 25 Tesla vehicles from across the world.

That’s worrying, for a vehicle that uses a smartphone app as a virtual key. If you can open doors and start driving, that’s all any would-be thief needs.

Colombo claims that he had a long list of actions that he could do once he was in the system.

Those include flashing the lights, seeing if a driver was in the car, and opening windows or doors. Imagine that happening while you’re on the highway, even if you’re using Full Self-Driving. Yikes.

While he says he couldn’t control steering, acceleration, or braking, the things he could do would be distracting to the driver or other road users, at a minimum.

He has been in touch with Tesla’s security team at this time, and they’re investigating the cause.

Perhaps those investigations are the cause of Tesla revoking a large number of authentication tokens in the early hours of January 12. That was noticed by TezLab, a popular third-party Tesla companion app that ties into the in-car system.

Colombo is staying tight-lipped about the actual vulnerability he used, except to say that he says it isn’t a fault in Tesla’s infrastructure. Perhaps that’s why all of those authentication tokens were revoked, as he might have gained access through a third party.

If so, I’m not quite sure how he can claim it’s not a fault of Tesla, while trying to blame the users. If an authentication token can be used on another device or without some secondary authentication method, the fault would be with Tesla for sloppy security practices.

We’ll have to see what, if any, information comes from Colombo, Tesla, or MITRE (which generated a CVE number for this issue). We reached out to Tesla on Twitter for comment, as they don’t believe in having a PR team anymore.

Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Comments

More in News