Connect with us


A hacker on Twitter says they took partial control of over 25 Tesla EVs

The hacker could control the lights, open windows, and more.

Tesla steering wheel
Image: Unsplash

With Tesla’s claims that they’re a software company that just happens to make cars; it makes any potential security issue more egregious. Like this report from 19-year-old self-described “IT Security Specialist & Hacker,” David Colombo, who appears to have taken partial control of over 25 Tesla vehicles from across the world.

That’s worrying, for a vehicle that uses a smartphone app as a virtual key. If you can open doors and start driving, that’s all any would-be thief needs.

Colombo claims that he had a long list of actions that he could do once he was in the system.

Those include flashing the lights, seeing if a driver was in the car, and opening windows or doors. Imagine that happening while you’re on the highway, even if you’re using Full Self-Driving. Yikes.

While he says he couldn’t control steering, acceleration, or braking, the things he could do would be distracting to the driver or other road users, at a minimum.

He has been in touch with Tesla’s security team at this time, and they’re investigating the cause.

Perhaps those investigations are the cause of Tesla revoking a large number of authentication tokens in the early hours of January 12. That was noticed by TezLab, a popular third-party Tesla companion app that ties into the in-car system.

Colombo is staying tight-lipped about the actual vulnerability he used, except to say that he says it isn’t a fault in Tesla’s infrastructure. Perhaps that’s why all of those authentication tokens were revoked, as he might have gained access through a third party.

READ MORE: The kid who remotely hacked a bunch of Teslas hacked his way to owners’ contact info

If so, I’m not quite sure how he can claim it’s not a fault of Tesla, while trying to blame the users. If an authentication token can be used on another device or without some secondary authentication method, the fault would be with Tesla for sloppy security practices.

We’ll have to see what, if any, information comes from Colombo, Tesla, or MITRE (which generated a CVE number for this issue). We reached out to Tesla on Twitter for comment, as they don’t believe in having a PR team anymore.

Have any thoughts on this? Let us know down below in the comments or carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

Follow us on Flipboard, Google News, or Apple News

Maker, meme-r, and unabashed geek with nearly half a decade of blogging experience. If it runs on electricity (or even if it doesn't), Joe probably has one around his office somewhere. His hobbies include photography, animation, and hoarding Reddit gold.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Deals of the Day

  1. Paramount+: Live Sports Starting at $2.50/mo. for 12 Mos. Sports - Try It Free w/ code: SPORTS
  2. Save $20 on a Microsoft365 subscription at Best Buy with a Best Buy Membership!
  3. Try Apple TV+ for FREE and watch all the Apple Originals
  4. Save $300 on a Segway at Best Buy, now $699

More in Security