Stay up to date with the latest PCAutomotive news and events, explore our webinars, and study our expert research.
We highlight the most important and valuable trends in the automotive security industry


How a hacker gained access to 25 Teslas

Anatolii Viklov

Mátyás Canter-Hiszem

Angelica Rizaeva

Did you hear the news? A teen hacker from Germany discovered security flaws that let him control 25 Teslas remotely. Check out the article and read our guide on “How to maximize the safety of your own connected car!”

David Colombo, a young IT security entrepreneur and hacker, claimed on his Twitter how he discovered a way to interact remotely with over 20 Tesla vehicles in 10 countries.
No alt text provided for this image
Later in the posts, David claimed that more than 25 Teslas got exposed in 13 countries. With his gained access, the hacker claimed he could disable Sentry Mode, open the doors/windows, and even start Keyless Driving.
What is important David Colombo explained that the flaw was "not a vulnerability in Tesla's infrastructure. It's the owners’ fault."
No alt text provided for this image
What we know for now is that the fault is not on Tesla's side, and the recent revocation of many API authentication tokens made by Tesla may be related to this discovery. Whether or not token leakage took place from some third-party app or service is still an open question. Currently, this information is not disclosed publically to protect users before patching their systems. 
We recommend exercising great caution when using third-party applications for remote vehicle control and monitoring, as vehicle manufacturer won't be responsible for security breaches of such apps. And yet there are still big questions - what security measures are those third-party applications implementing, and are they enough to protect car owners?
Now, the important question: “How can you avoid this sort of situation?”
It is a huge responsibility of car owners to minimize their risks and maximize the safety and security of a connected car. Use our guide below to learn which measures you should take to safeguard your life and enhance the protection of your vehicle:
  • Perform the latest updates. Keep your systems up to date and stay in touch with your car’s manufacturer. We all know out-of-date system can be vulnerable.
  • Trust only authorized service centers. Firmware updates should be performed only in authorized service centers, otherwise you risk damaging your car and voiding its warranty. At the moment, over-the-air software updates are only available for a limited number of car models.
  • Keep your smartphone up to date. Keep your smartphone’s operating system and apps up to date; updates are often released to fix possible security vulnerabilities that could allow cyber criminals to access your phone. 
  • Set password on your smartphone. If you’re planning to use your smartphone to make payments connected to your car, such as parking or road toll fees, make sure your phone is password protected. 
  • Use strong passwords for in-vehicle Wi-Fi. Whenever you use your car’s built-in Wi-Fi, change the default password, and never keep the new password written down inside the car.
  • Remove default credentials. Always change default access credentials on your services. Check manuals and security guidelines for applications and services you use.
  • Enable only required functionality. Double-check and allow only required functionality and access on your apps. Do not leave applications or services you use in the default configuration.
  • Block exposed ports on desktop apps. Check what network ports are exposed to the internet by your desktop apps and close or block, by means of firewall, the ones you don’t need to use.
  • Turn off Wi-Fi. Disable Wi-Fi and Bluetooth in your car when you are not using them.
  • Avoid public Wi-Fi. Do not use public Wi-Fi networks for performing critical online activities, such as remote control of your vehicles.
  • Change the home address in your car’s sat nav system. As an alternative to setting your home address to your house, you should consider setting a shortcut to a nearby junction or to the nearest motorway exit, if you don’t want to expose where exactly you live.



The impact of Log4j

See more