Teen hacker finds bug that lets him control 25+ Teslas remotely | Ars Technica

revoke that token —

David Colombo says it's the owners' faults, not an infrastructure vulnerability.

Jonathan M. Gitlin - Jan 12, 2022 4:40 pm UTC

Enlarge /

The downside with offering APIs to interact with a car is that someone else's security problem might become your own.

Getty Images

A young hacker and IT security researcher found a way to remotely interact with more than 25 Tesla electric vehicles in 13 countries, according to a Twitter thread he posted yesterday.

David Colombo explained in the thread that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owner's faults." He claimed to be able to disable a car's remote camera system, unlock doors and open windows, and even begin keyless driving. He could also determine the car's exact location.

However, Colombo clarified that he could not actually interact with any of the Teslas' steering, throttle, or brakes, so at least we don't have to worry about an army of remote-controlled EVs doing a Fate of the Furious reenactment.

Colombo says he reported the issue to Tesla's security team, which is investigating the matter.

On a related note, early on Wednesday morning, a third-party Tesla app called TezLab reported that it saw the "simultaneous expiry of several thousand Tesla authentication tokens from Tesla's side." TezLab's app makes use of Tesla APIs that allow apps to do things like log in to the car and enable or disable the anti-theft camera system, unlock the doors, open the windows, and so on.