A 19-year-old security researcher claims to have hacked remotely into more than 25 Tesla cars in 13 countries, saying in a series of tweets that he discovered a software flaw in the company’s systems.
David Colombo, a self-described information technology specialist, tweeted Tuesday that the software flaw allows him to unlock doors and windows, start the cars without keys and disable their security systems.
Colombo also claimed he can see if a driver is present in the car, turn on the vehicles’ stereo sound systems and flash their headlights.
I think it’s pretty dangerous if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway.
Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.
[4/X]
— David Colombo (@david_colombo_) January 11, 2022
The teenager did not reveal the exact details of the software vulnerability, but said it was not within Tesla’s software or infrastructure and added that only a small number of Tesla owners globally were affected. His Twitter thread elicited a robust response, with more than 800 retweets.
A message to Colombo on Twitter seeking comment was not immediately answered. A representative for Tesla in China declined to comment, while the automaker’s global press team did not respond to an email seeking comment outside of West Coast business hours.
Yes, I potentially could unlock the doors and start driving the affected Teslas.
No, I cannot intervene with someone driving (other than starting music at max volume or flashing lights) and I also cannot drive these Teslas remotely.
[7/7]
— David Colombo (@david_colombo_) January 11, 2022
According to one online report, U.S.-based Tesla has a vulnerability disclosure platform where security researchers can register their own vehicles for testing, which Tesla can pre-approve. The company pays up to $15,000 for a qualifying vulnerability.
Colombo later tweeted he has been in touch with Tesla’s security team, and said they were investigating the issue. The team said they will come back to him with any updates, he said.