It looks like yet another technical crisis may be heading for Tesla if these tweets from a young hacker in Germany are anything to go by. While we're not sure whether this affects the Tesla Model 3, Y, S, or X in particular, the account user initially stated that he had gained control of over 20 Tesla models in 10 different countries and expressed his concerns about not being able to report it to the owners.
Account user David Colombo describes himself as a 19-year-old IT security specialist and hacker as well as the founder of Colombo Tech. This is a cyber security specialist firm that operates out of Germany and offers services such as security audits, penetration tests, and vulnerability scans. It also provides IT security consulting and will soon launch a managed cyber defense service.
Based on the thread of tweets, Colombo goes on to explain that the vulnerability he was able to exploit was not one found in Tesla's infrastructure and that the fault lies on the owner. This is why he wants to report the issue to the owners directly. He goes on to confirm that he can remotely run commands on more than 25 Teslas in 13 countries without the knowledge of said owners.
These functions include disabling Sentry Mode, opening the doors and windows, and even starting the car via its keyless driving feature. He also says he can query the exact location of the unit and see if a driver is present. As a final troll measure, he states that he can even Rick Roll the affected owners by playing Rick Astley via the YouTube app.
While this does sound like a comical situation, the flaw is also a dangerous one because you have the opportunity to blast music at full volume when it is unexpected and can even open doors or windows while at highway speeds. Simple actions such as flashing the lights non-stop can also potentially have a dangerous impact on other drivers, he explains.
Before he releases any specific details, he wants the issue to be resolved. The next steps in his plan include waiting for MITRE's reply regarding a CVE, preparing a write-up on the events that have transpired and coordinating disclosure to the affected Tesla owners. Colombo continues to clarify that he has not gained full remote control which means he cannot access key functions such as the steering, accelerator, or brakes. He adds that Tesla's security team has also confirmed that it is investigating the matter.