David Colombo, a 19-year-old cybersecurity researcher in Germany, came upon the biggest discovery of his young career by accident.
He was performing a security audit for a French company when he noticed something unusual: a software program on the company’s network that exposed all the data about the chief technology officer’s Tesla Inc. vehicle.
The data included a full history of where the car had been driven and its precise location at that moment.
But that wasn’t all. As Colombo dug deeper he realized that he could push commands to Tesla vehicles whose owners were using the program.
That capability enabled him to hijack some functions on those cars, including opening and closing the doors, turning up the music and disabling security features. (He couldn’t take over the cars’ steering, braking or other operations, however.)
The discovery, which Colombo published on Twitter this week, triggered a vigorous discussion online as the latest example of hacking risks associated with the so-called Internet of Things, where seemingly every product — from refrigerators to doorbells — now have an internet connection.
“I’m not sure I would send that tweet again,” said Colombo, who began programming when he was 10.
“The response was crazy. Somewhere in the comments I have pro- and anti-Tesla arguing very heatedly. It just got blown up so much.”
Colombo said he found more than 25 Teslas in 13 countries throughout Europe and North America that were vulnerable to attack, and that subsequent analysis indicated there could have been hundreds more.
The flaws aren’t in Tesla’s vehicles or the company’s network but rather in a piece of open-source software that allows them to collect and analyze data about their own vehicles.
Tesla didn’t respond to requests for comment.
Colombo said a member of the company’s security team contacted him and that he shared his findings.
A spokesperson for the U.S. National Highway Traffic Safety Administration said it has been in contact with Tesla about the matter and that the agency’s cybersecurity technical team would assist with the evaluation and review of the information.
Colombo provided screenshots and other documents detailing his findings and identifying the maker of the affected third-party software, but he asked that Bloomberg not publish specifics because the flaws hadn’t yet been fixed.
A self-described Tesla fan from Dinkelsbühl — which he described as having “one of the most beautiful old towns in all of Germany” — Colombo said his mother developed breast cancer when he was 13, and he immersed himself further in coding to help distract himself. (She died the following year, he said.)
Bored by school, he said he and his father successfully petitioned the government when he was 15 to allow him to go just two days per week and spend the rest of his time expanding his cybersecurity skills and building a consulting firm, which he named Colombo Technology.
“I was having to learn Latin and literary analysis, and I was like, ‘Why? I could be protecting companies, building secure stuff,’” he said, adding that he concluded that school “was a waste of time.”
Colombo said he has participated in several “bug bounties” — programs where companies pay independent security researchers for weaknesses found in their products — and consulted for companies helping them assess their security.
This isn’t the first time that potentially serious security vulnerabilities involving internet-connected automobiles have been disclosed.
In 2015, a pair of security researchers revealed an attack where they remotely took control of a Jeep Cherokee and killed the engine as a journalist for Wired drove the vehicle at 70 miles per hour down a highway in the U.S.
The shocking demonstration, which was possible because of flaws in the internet-connected infotainment systems, led to the automaker recalling 1.4 million cars and trucks — the first auto recall prompted by cybersecurity concerns.
Since then, researchers have disclosed numerous other hacking risks they’ve discovered with the sophisticated electronics that are increasingly being added to automobiles.
Shortly after the Jeep hack was made public, a different pair of researchers disclosed software flaws in Tesla’s Model S that could have allowed hackers to shut down a moving car’s engine.
The researchers coordinated with Tesla, which issued a software fix at the same time.
Colombo said he was able to contact three Tesla owners — in Germany, the U.S. and Ireland — before disclosing what he had discovered.
He showed Bloomberg screenshots of a private conversation on Twitter where one affected owner allowed him to remotely honk the car’s horn to confirm the vulnerability.
He said he decided to publish his findings after failing to find contact information for most of the other Tesla owners whose data was exposed.
“I wanted to report it to the owners — that’s the whole story,” he said.
“Because if I don’t do it, maybe someone with malicious intent will find those system vulnerabilities and do malicious stuff. Imagine there’s someone who can go up to the Tesla, unlock the doors and take it for a drive.”