Later this month, an invitation-only event will be held in San Francisco, USA, hosting the German security researcher David Colombo who become famous, at the age of 19 for baffling Tesla and the world when he successfully hacked dozens of their vehicles worldwide. As this is a cybersecurity related event David will most probably discuss how he garnered international attention, and probably something about his company Colombo Technologies and his thoughts to global enterprises on how to prevent breaches like this in future.
David has been talking about this before and there are quite some interviews with him on the Internet. For you who have not read them all, here is a summary.
David Colombo, who is an ethical hacker, started last year to perform a security audit for a French company where he investigated code from a data logger used by Tesla. This specific data logger showed where Tesla’s had been driven, how fast, and other usage statistics. David then discovered, to his amazement, that he could easily find out where the CEO of the French company had been driving his own Tesla, along with other private information.
From there David started reading source code from GitHub that went into other Tesla components and further discovered that he could just as easily access digital car keys to any Tesla, unencrypted, by the way they were stored in the open-source software.
With those keys, David was able to remotely disable a Tesla’s security mode, unlock the doors, honk the horn, or alter the volume of the music. And if the owner’s garage door opener was connected to the car, David could open that too, and he could do this worldwide from his laptop in Germany. Even if David could not take over the cars’ steering, braking or other operations, he realized that he was able to breach Tesla’s security mode on more than 20 cars and immediately contacted Tesla via email and reported the alarming vulnerability.
Tesla responded right away with the curt replay: “We are investigating.” However, the following day David received an email saying something like:
“We took a good look at what you found, and we are immediately revoking access tokens and notifying the owners. Thank you so much for letting us know!”