Teen tesla hacker accessed owners’ email addresses to warn them


The teenager, from Dinkelsbühl, Germany, said he has shared the additional vulnerability with Tesla, and the car company’s engineers have written a fix to prevent it from happening in the future. — Bloomberg

The 19-year-old cybersecurity researcher who remotely accessed dozens of Tesla Inc vehicles through a third-party flaw, has a new trick: hacking the car owners’ email addresses to notify them they’re at risk.

Earlier this month, David Colombo discovered a flaw in a piece of third-party open source software that let him remotely hijack some functions on about two dozen Teslas, including opening and closing the doors or honking the horn. In trying to notify the affected car owners, he then found a flaw in Tesla’s software for the digital car key that allowed him to learn their email addresses.

Colombo said the defect was in a Tesla application programming interface, or API. After he publicised his first discovery, a Twitter user suggested contact details for the affected owners could be found in the code that allows two pieces of software to communicate with each other, also known as an API endpoint.

"Once I was able to figure out the endpoint, I was indeed able to carry the email address associated with the Tesla API key, the digital car key,” Colombo said in an interview Monday with Bloomberg Television. "You shouldn’t be able to carry sensitive information like an email address using an access that is already expired or revoked.”

The teenager, from Dinkelsbühl, Germany, said he has shared the additional vulnerability with Tesla, and the car company’s engineers have written a fix to prevent it from happening in the future.

Tesla didn’t respond to a request for comment. Colombo said his additional discovery should be eligible for a "bug bounty” from Tesla – consistent with the company’s policy – but officials there haven’t confirmed an amount with him. He joked that he hopes the sum is big enough to cover the coffee bill he’s amassed working on the original flaw the last two weeks. – Bloomberg

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 46
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights
   

Next In Tech News

‘Tunic’ for PCs and Xbox: Early ‘Legend Of Zelda’, but with a fox
Hyundai Motor Group to invest $5.5 billion to build EV, battery facilities in U.S
Analysis-Tesla brand threatened by Musk harassment claim, criticism of Democrats
Court puts sales ban on Ford's internet-linked cars in Germany in patent dispute
3M ordered to pay $77.5 million to veteran in latest earplug trial
Volkswagen supervisory board demands more ambitious software roadmap - sources
Bolsonaro says Musk's Twitter takeover offers "breath of hope"
Putin promises to bolster Russia's IT security in face of cyber attacks
Netflix to pay $59 million to settle Italian tax dispute
Tinder-owner Match says Google to allow alternate payment systems for now

Others Also Read