German teen claims hacking over 25 Tesla cars

Image courtesy of Saketh Garuda

Earlier this week, a 19-year-old hacker announced on Twitter that he was able to remotely control some of the functions in over 25 Tesla automobiles across 13 different countries without their owners’ knowledge.

David Colombo, who says he is an information technology specialist based in Germany, claims that he can open the vehicles’ doors and windows in said cars, disable their anti-theft systems, initiate keyless driving, determine the cars’ exact location, and see if a driver is inside the automobiles.

Colombo clarified that the hack is “not a vulnerability in Tesla’s infrastructure”, and is instead “the owners faults”. It appears that he took to Twitter because he could not find a way to find the owners and inform them about the issue.

He added that yes, he could unlock the doors and start driving the affected vehicles. However, Colombo said that he cannot intervene with someone driving, “other than starting music at max volume or flashing lights”. He also cannot drive the Tesla cars remotely.

Colombo later tweeted that Tesla’s security team has contacted him and confirmed that they are investigating the issue.

As of this writing, Colombo’s Twitter thread has amassed more than 7,200 likes, 1,600 retweets, and several hundred responses.

Tapping into safety concerns

Lotem Finkelstein, Head of Threat Intelligence and Research for Check Point Software Technologies, shared his thoughts on the matter: “The hack is sending shockwaves through the automotive industry and has tapped into our worst fears, like our vehicle being taken over by a stranger while we are driving at 70mph. Looking into this in a little more detail, this is not quite at that threat level, but is worthy of our attention nonetheless.”

Finkelstein challenged Colombo’s conclusion that car owners should be able to block the intrusive access.

“Can we really expect users to be familiar with the software configuration of a complex and highly technically advanced product like a modern automobile?” he asked. “Surely cars, of all things, need to be secure ‘out of the box’ and secure to the highest standards. It should not be possible for the driver to allow remote access to their vehicle either by a given action or indeed inaction.”

“That said, I can foresee a future where users will need to assume some responsibility for the cyber safety of their vehicles,” Finkelstein remarked. “If, God forbid, a hacker took control of your car and you had an accident, it would not matter whose fault it was that the car was not secured, you would want to do everything in your power to prevent it.”

“We expect manufacturers to provide a fully secure vehicle, but our experience in cyber tells us this is not something that can be 100% guaranteed. In the same way that we expect to be proactive in protecting our laptops and phones, I suspect we will need to take a more hands-on approach to ensuring our cars are protected from cyberattacks,” he concluded.