Berlin, Jan 26 : A 19-year-old German cybersecurity researcher who had hacked dozens of Tesla vehicles has revealed another flaw in the Tesla application programming interface (API). The teen Tesla hacker who had remotely accessed dozens of Tesla cars through a third-party flaw has revealed that he was able to able hack the car owners’ email addresses last month due to a flaw in the digital car key. In a Medium post on Tuesday, David Colombo has provided an in-depth and timeline of his previous experiment wherein he claimed that he could remotely run commands without the drivers’ knowledge. He said, “I was able to run remote commands such as ‘disable Sentry Mode’, ‘unlock the doors’, ‘open the windows’ and even ‘start Keyless Driving’.”
He further said that he was able to locate more than 25 Tesla’s from 13 countries within hours, including Germany, Belgium, Finland, Denmark, the UK, the US, Canada, Italy, Ireland, France, Austria and Switzerland. He also found more than 30 Teslas from China.
The teenager said he shared information about the vulnerability with Tesla. To deal with the issue, Colombo has suggested Tesla to revoke API tokens when the Tesla account password is reset or an easy way to revoke API keys manually. He further said multiple scopes to the API should be added such as “Read-Only Scope (for third-party software that only needs to collect data), Non-Critical Scope (seat heater, etc), Critical Scope (unlocking doors, keyless driving, etc)”.
