Tesla security issues: what a kid did

The German teenager discovered the defect of an open source piece of software.

The 19-year-old German cybersecurity researcher, who accessed several Tesla cars remotely through a third-party defect, has a new trick: he hacks the email addresses of car owners to notify them that I am in danger.

Earlier this month, David Colombo discovered a malfunction in a piece of third-party open source software that allowed him to remotely hijack some functions on about two 24 Tesla models, including opening and closing doors or honking. In an attempt to notify the affected car owners, he then found a flaw in Tesla’s digital car key software that allowed them to learn their email addresses.

A serious problem

Colombo said the flaw was in a Tesla or API programming interface. Following the public announcement, a Twitter user suggested that the contact details of the affected owners could be found in the code that allows two software components to communicate with each other, also known as an API endpoint.

“Once I was able to figure out the end point, I was able to see the email address associated with the Tesla API key, the car’s digital key,” Colombo said in an interview with Bloomberg. “You should not be able to carry sensitive information, such as an email address, using access that is already expired or revoked.”

The teenager from Dinkelsbühl, Germany, said he shared the additional vulnerability with Tesla, and the company’s engineers wrote a fix to prevent it from happening in the future.

Colombo said his additional discovery should be eligible for an “error reward” from Tesla – according to company policy – but officials there have not confirmed an amount with him. He joked that he hoped the amount was high enough to cover the coffee bill he had accumulated working on the original defect in the past two weeks.