NDTV News

NDTV.com provides latest news from India and the world. Get today’s news headlines from Business, Technology, Bollywood, Cricket, videos, photos, live news coverage and exclusive breaking news from India.

https://www.ndtv.com/

Teen Stumbled Onto Flaw Letting Him Hijack Teslas, Control Some Functions.

Teen Stumbled Onto Flaw Letting Him Hijack Teslas, Control Some Functions

David Colombo said he was able to contact three Tesla owners -- in Germany, the U.S. and Ireland

David Colombo, a 19-year-old cybersecurity researcher in Germany, came upon the biggest discovery of his young career by accident.

He was performing a security audit for a French company when he noticed something unusual: a software program on the company's network that exposed all the data about the chief technology officer's Tesla Inc. vehicle. The data included a full history of where the car had been driven and its precise location at that moment.

But that wasn't all. As Colombo dug deeper he realized that he could push commands to Tesla vehicles whose owners were using the program. That capability enabled him to hijack some functions on those cars, including opening and closing the doors, turning up the music and disabling security features. (He couldn't take over the cars' steering, braking or other operations, however.)

The discovery, which Colombo published on Twitter this week, triggered a vigorous discussion online as the latest example of hacking risks associated with the so-called Internet of Things, where seemingly every product -- from refrigerators to doorbells -- now have an internet connection.

"I'm not sure I would send that tweet again," said Colombo, who began programming when he was 10. "The response was crazy. Somewhere in the comments I have pro- and anti-Tesla arguing very heatedly. It just got blown up so much."

Colombo said he found more than 25 Teslas in 13 countries throughout Europe and North America that were vulnerable to attack, and that subsequent analysis indicated there could have been hundreds more. The flaws aren't in Tesla's vehicles or the company's network but rather in a piece of open-source software that allows them to collect and analyze data about their own vehicles.

Tesla didn't respond to requests for comment. Colombo said a member of the company's security team contacted him and that he shared his findings. A spokesperson for the U.S. National Highway Traffic Safety Administration said it has been in contact with Tesla about the matter and that the agency's cybersecurity technical team would assist with the evaluation and review of the information.

Colombo provided screenshots and other documents detailing his findings and identifying the maker of the affected third-party software, but he asked that Bloomberg not publish specifics because the flaws hadn't yet been fixed.

A self-described Tesla fan from Dinkelsbühl -- which he described as having "one of the most beautiful old towns in all of Germany" -- Colombo said his mother developed breast cancer when he was 13, and he immersed himself further in coding to help distract himself. (She died the following year, he said.)

Bored by school, he said he and his father successfully petitioned the government when he was 15 to allow him to go just two days per week and spend the rest of his time expanding his cybersecurity skills and building a consulting firm, which he named Colombo Technology.

"I was having to learn Latin and literary analysis, and I was like, 'Why? I could be protecting companies, building secure stuff,' " he said, adding that he concluded that school "was a waste of time."

Colombo said he has participated in several "bug bounties" -- programs where companies pay independent security researchers for weaknesses found in their products -- and consulted for companies helping them assess their security.

This isn't the first time that potentially serious security vulnerabilities involving internet-connected automobiles have been disclosed. In 2015, a pair of security researchers revealed an attack where they remotely took control of a Jeep Cherokee and killed the engine as a journalist for Wired drove the vehicle at 70 miles per hour down a highway in the U.S. The shocking demonstration, which was possible because of flaws in the internet-connected infotaintment systems, led to the automaker recalling 1.4 million cars and trucks -- the first auto recall prompted by cybersecurity concerns.

Since then, researchers have disclosed numerous other hacking risks they've discovered with the sophisticated electronics that are increasingly being added to automobiles.

Shortly after the Jeep hack was made public, a different pair of researchers disclosed software flaws in Tesla's Model S that could have allowed hackers to shut down a moving car's engine. The researchers coordinated with Tesla, which issued a software fix at the same time.

Colombo said he was able to contact three Tesla owners -- in Germany, the U.S. and Ireland -- before disclosing what he had discovered. He showed Bloomberg screenshots of a private conversation on Twitter where one affected owner allowed him to remotely honk the car's horn to confirm the vulnerability.

He said he decided to publish his findings after failing to find contact information for most of the other Tesla owners whose data was exposed.

"I wanted to report it to the owners -- that's the whole story," he said. "Because if I don't do it, maybe someone with malicious intent will find those system vulnerabilities and do malicious stuff. Imagine there's someone who can go up to the Tesla, unlock the doors and take it for a drive."

(Except for the headline, this story has not been edited by NDTV staff and is published from a syndicated feed.)

Останні новини
January 6 hearing target Jeffrey Clark recounts FBI raid.

January 6 hearing target Jeffrey Clark recounts FBI raid.

Former Assistant Attorney General Jeffrey Clark joins 'Tucker Carlson Tonight' after Rep. Adam Kinzinger leads 1/6 testimony focused on him. #foxnews #tucker Subscribe to Fox News! Watch more Fox News Video: Watch Fox News Channel Live: FOX News C...

Watch: Vermont Man Uses Excavator To Stop Troopers From Arresting His Son.

Watch: Vermont Man Uses Excavator To Stop Troopers From Arresting His Son.

Authorities in Vermont say 52-year-old Wayne Tallman faces charges after he used an excavator to stop state troopers from arresting his son 24-year-old Brandon Tallman. » Watch more NBC video: NBC News Digital is a collection of innovative and pow...

PM vows to 'keep going' despite by-election losses and cabinet resignation.

PM vows to 'keep going' despite by-election losses and cabinet resignation.

Boris Johnson has vowed to 'keep going' after being told to reconsider his position. The Conservatives have suffered two by-election losses in Wakefield and the Devon seat of Tiverton and Honiton while Oliver Dowden has resigned as Conservative Pa...

1 1

Boris Johnson says he will 'listen' to voters after triple blow.

Boris Johnson says he will 'listen' to voters after triple blow.

Boris Johnson says he has "got to listen to what people are saying" after a suffering a triple blow losing two by-elections and the resignation of a Cabinet minister. The Prime Minister admitted the Conservatives had "tough by-elections results" w...

1 2

BREAKING: Wakefield win 'hugely significant' for Labour - Keir Starmer.

BREAKING: Wakefield win 'hugely significant' for Labour - Keir Starmer.

Sir Keir Starmer has said the by-election win in Wakefield is a "hugely significant win for the Labour party". The Labour leader said the Conservatives were "imploding" and the country was "on course for a Labour government". #SkyNews #keirstarmer...

1

'Huge victory' for Liberal Democrats in Devon by-election - Sir Ed Davey.

'Huge victory' for Liberal Democrats in Devon by-election - Sir Ed Davey.

Liberal Democrat leader Sir Ed Davey has told Sky News the win in the Tiverton and Honiton by-election is a "huge victory" for the party. The Lib Dems won the former Conservative safe seat by a huge majority. He said voters there saw Boris Johnson...

1 19