Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
David Colombo Profile picture
David Colombo
@david_colombo_
Founder, Cyber Security Researcher, Keynote Speaker, Advisory Board Member. Speaker @worldgovsummit. Featured in @business, @technology, @techcrunch & more

Jan 10, 2022, 12 tweets

So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…

Since these important facts seem to drown between other comments, I‘ll add them here again 👇

This is not a vulnerability in Tesla‘s infrastructure. It‘s the owners faults. That‘s why I would need to report this to the owners as stated above.

[1/X]

Nevertheless I now can remotely run commands on 25+ Tesla‘s in 13 countries without the owners knowledge.

Regarding what I‘m able to do with these Tesla‘s now.
This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving.

[2/X]

I could also query the exact location, see if a driver is present and so on. The list is pretty long.

And yes, I also could remotely rick roll the affected owners by playing Rick Astley on Youtube in their Tesla‘s😂

[3/X]

I think it‘s pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway.

Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers.

[4/X]

That‘s why I would like to get this all fixed before I release any specific details regarding what exactly this all is about.

Next steps:
- Waiting for MITRE‘s reply regarding a CVE
- Preparing my Writeup
- Coordinating disclosure to affected owners with Tesla

[5/5]

Small addition (for media reporters):

As already stated in some other replies, it is not „full remote control“ as in being able to remotely control steering or acceleration & braking.

[6/7]

Yes, I potentially could unlock the doors and start driving the affected Tesla‘s.

No I can not intervene with someone driving (other than starting music at max volume or flashing lights) and I also can not drive these Tesla‘s remotely.

[7/7]

Addition as of 11. Jan 22:33 (CET)

Tesla‘s Security Team just confirmed to me they’re investigating and will get back to me with updates as soon as they have them.

[8/8]

The MITRE CVE Assignment Team reserved a CVE for it.

🎉

[9/9]

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling