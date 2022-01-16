david columbo, a computer security specialist from just 19 yearsmanaged to gain control of 25 Tesla electric cars from 13 countries different, thanks to vulnerability of some third-party applications that can be installed using an unofficial API from the manufacturer. Colombo announced what he had achieved via Twitter with the intention that Tesla was aware of this and solved the problem.

The software failure It allows access to the owners’ accounts so that, although it is not possible to remotely drive the cars, they can be started, unlock their doors and windows and disable their security systems. In addition Colombo could know the exact location of each car, check if the driver is present in the car and turn on the sound systems and lights.

The 19-year-old German calls himself an information technology specialist and did not want to reveal the exact details of the vulnerability that he had found in the software so as not to give clues to other hackers. However, through the open Twitter thread, he specified that the problem is not within the Tesla software, but in third-party applications, so only a small number of owners may be affected by it. To access the electric cars, Colombo has gained access to his accounts, which allows you to log in to the Tesla app and gain some control over the vehicles.

So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them… — David Colombo (@david_colombo_) January 10, 2022

In an interview with Boomberg, Colombo affirms that at no time was he able to control the electric cars remotely, but he was able to carry out some actions that could cause safety problems while driving. It was also possible for him to open the cars and disable the alarms and surveillance systems so, theoretically, would it be possible to steal them.

Tesla has a protocol for reporting security vulnerabilities in its electric cars so that owners can register their vehicles for testing, subject to approval by Tesla. Each report, verified by its specialists, is financially rewarded with an amount that can reach up to $15,000.

Colombo has been in contact with the Tesla security team, which assures that it is already studying the problem and that they will contact him with any news. The company has declined to comment on the matter to the press.

Tesla Third Party Apps

Precisely many owners who use third-party applications have discovered that these don’t work for a few days as Tesla seems to have revoked a lot of login tokens. The manufacturer does not have a store to download applications, but there is an unofficial API that has allowed the existence of third-party applications. These allow you to add additional, non-native functions, such as recording trips and charging sessions or generating reports on battery status.

In order for these applications to access the owner’s data, they must have the Tesla account login information or with an authentication token associated with it, which are the ones that have stopped working.

Apparently this circumstance is a consequence of the action of Colombo and the measures that Tesla has taken to close the vulnerability that allows remote access to your application using these tokens. Actually, for owners, the fix is ​​as simple as going into the apps and re-entering the login information.