The 19-year-old German security researcher who somehow managed to gain remote access to dozens of Teslas spread out around the world has spilled the beans on how he did it.
In a Medium post, David Colombo provided an in-depth accounting and timeline of his previous experiment where he claimed he could remotely run commands (like adjusting a vehicle’s stereo volume, manipulating doors and windows, and even engaging Tesla’s “Keyless Driving” tool), potentially without drivers ever knowing. Colombo revealed he was able to gain access to the vehicles through a security flaw in an open-source logging tool called TeslaMate. That tool lets Tesla owners monitor more granular data like their vehicle’s energy consumption and location history by utilising Tesla’s API. However, Colombo said he was able to repurpose a handful of Tesla’s API Keys — which he said were stored unencrypted by TeslaMate — to run his own commands.
“You could run commands that annoy the shit out of the Tesla owner,” Colombo wrote, “And you could even steal the Tesla.” The write-up was part of Colombo’s official responsible disclosure report submitted to Tesla’s security team.
Colombo says he “found 25+ Tesla’s [sic] from 13 countries within hours.” The countries where the Tesla vehicles were located include “Germany, Belgium, Finland, Denmark, the UK, the US, Canada, Italy, Ireland, France, Austria and Switzerland,” he wrote, adding: “There were about at least an additional 30+ from China, but I really did not want to mess with China’s cyber security laws so I left them completely untouched.”
Since Tesla later revoked “thousands of keys,” Colombo said, it’s possible the issue was far more widespread than his research uncovered.
Though Colombo was able to manipulate a shocking amount of the car’s features, he does not believe he would have been able to remotely move the car or manipulate steering or brakes. Colombo said he reached out to both Tesla and TeslaMate and that fixes have been issued.
I could also query the exact location, see if a driver is present and so on. The list is pretty long.
And yes, I also could remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla‘s😂
[3/X]
— David Colombo (@david_colombo_) January 11, 2022
In his timeline of events, the researcher said he first noticed the vulnerability in a single vehicle back in October 2021 before discovering it in 20 more early this month. Images on the blog post show detailed maps documenting the driving history of several of the affected vehicles with eerie precision. Colombo also included images of text message exchanges between himself and one of the affected Tesla owners. In that case, the owner gave Colombo permission to remotely trigger his car horn.
Colombo also provided some details on an additional flaw, this time in Tesla’s digital car key, that allowed him to obtain drivers’ email addresses. In an earnest effort to alert the previously affected drivers of the third-party flaw affecting their vehicles, Colombo said he stumbled upon a flaw that allowed him to query drivers’ email addresses. Though Colombo was searching specifically for the emails of owners of the affected vehicles, the software flaw could potentially be abused to find emails associated with other Tesla owners.
“At the beginning of the story I didn’t have any way to find owner-identifying information and now I can query email addresses even with revoked access,” Colombo wrote, “Kind of ironic!”
Colombo later clarified his findings in an interview with Bloomberg saying the flaw was found in an API for Tesla’s digital car key. The researcher said he immediately notified Tesla’s security team about the email flaw and confirmed they had quickly rolled out a patch to address the issue.
“There should be no way at all that someone could literally walk up to some Teslas they do not own and take them for a drive,” Colombo wrote.