19-year-old David Colombo said on Twitter that he gets remote access to 25 Tesla cars in 13 countries around the world.
According to him, the problem was not with the automaker’s infrastructure, but with unnamed third-party software that some car owners use.
Colombo says that he can remotely run commands on cars available to him (of course, without awareness of the owners), including disabling Sentry mode, opening and closing doors, windows, and launching Keyless Driving. In addition, the researcher can request the exact location of the car, see if the driver is present in the cabin, and so on.
Fortunately, hacker can’t interact with the Tesla’s steering wheel or brakes in this way, but even without this, he can come up with many dangerous attack scenarios.
Bloomberg has received proof of his claims from the researcher, including screenshots and other documentation. So far, Colombo has not released any details of his attack, and also asked the media conceal the details until the vulnerability is fixed. According to him, MITER has already reserved a CVE ID for this bug, and Tesla security is already conducting the necessary checks.
Interestingly, the developers of a third-party app for Tesla, TezLab, reported that yesterday they discovered “simultaneous expiration of several thousand authentication tokens by Tesla”. This application uses the Tesla APIs that allow performing actions such as entering a car, enabling or disabling the anti-theft camera system, unlocking doors, opening windows, and so on.
Let me remind you that we talked about the fact that Hackers gained access to surveillance cameras in Tesla, Cloudflare and banks, and also that The researcher showed how to steal a Tesla Model X in a few minutes.