David Colombo on Tesla Hacks and Growing into Hacking, Ethical Hacking, Security Researcher, Tesla, Vulnerability

Cybellum had the pleasure of interviewing David Colombo, the cyber boy wonder of Germany, and founder of Colombo Technologies for our podcast, Left to Our Own Devices.

Not yet 20 years old, the prolific cyber researcher already has to his credit the exposure of numerous critical vulnerabilities, including the honor of hacking his way into Tesla vehicles!

Since we analyze vehicle vulnerabilities on a daily basis for our product security platform, we couldn’t wait to hear more about how a young hacker managed to breach Tesla systems. We’ll elaborate on how he did that a little later.

Of course, David, being an ethical hacker, tries to make the world a better place by immediately sharing his findings with the world, enabling the security research community to fix cyber issues before actual breaches occur.

So, how did it all start?

Quick Study in Cyber

David was just a kid when he got interested in computing. Receiving his first laptop on his 10th birthday, he was immediately enthralled by how it worked and especially, of course, the internet. Quickly mastering computing and networking basics, David began his journey into software development. Examining his own code, it suddenly dawned on him that there were vulnerabilities that could enable an outsider to run code on his own laptop without his knowledge.

That was the eureka moment that sparked his passion for research into vulnerabilities across applications, operating systems, and devices.

By the time he entered his teens, David was already figuring out how to protect companies, hospitals, and other computer users and networks. He found that activity a lot more exciting than spending time in the classroom.

By 10th grade, he located a mentor from the German Chamber of Commerce who was able to get his school to give him permission to show up only one or two days a week, allowing him to dedicate the rest of his time to building up his computing and cyber skills.

At the tender age of 16, David started his own cybersecurity company. But being too young to legally engage in commerce, his father had to sign the consulting contracts on his behalf. At 18 David finally became legally able to conduct cyber business on his own.

Tu Tesla, Mi Tesla

So how did David Colombo, at the tender age of 19, hack into ultra-high tech Tesla cars?

Before describing the process, David assures us that since he’s in the business of ethical hacking, everything he tells us is now public and will not compromise Tesla cars, or their owners in any way. So, here’s the story.

Just last year, David was starting to perform a security audit for a French company. He took a look at the code that constituted a data logger that was being used by Tesla. The data logger shows where the Tesla has been driven, how fast, and other such usage statistics. But to his amazement, David could easily find out where the CEO of the French company was driving his own Tesla, along with other private information.

Being a Tesla fan, he started reading source code from GitHub that went into other Tesla components.

Ach du lieber! He discovered that open source software stores the digital car keys in a way that can be accessed easily from the outside. And not encrypted at all. David could easily obtain the digital car keys to any car.

What could he do with those keys? Just remotely disable the car’s security mode, unlock the doors, honk the horn – “little” things like that. If the owner’s garage door opener was connected to the car, David could open the garage door, too – in Finland, in Switzerland, anywhere – all from his laptop in Germany!

Was this a fluke? Were more than one or two cars involved? David quickly ran an internet search. Nein. David easily found more than 20 cars that he could breach.

Immediately, he contacted Tesla via email and reported the alarming vulnerability.

How did Tesla respond? Right away. But David received only a curt reply, “We are investigating.” However, the next day, the OMG! email came. “We took a good look at what you found and we are immediately revoking access tokens and notifying the owners. Thank you so much for letting us know!”

Security Insights

David’s young age does not do justice to his great accumulation of cyber knowledge and experience. Today, his consulting expertise is in great demand. He shares with us some of the insights that he has collected.

  1. The shortage of cybersecurity personnel and expertise is dire. Automotive, medical, and other industries need lots of dedicated people who are passionate about cybersecurity.
  2. Even “ancient” vulnerabilities continue to afflict the secure operations of modern, connected machines. For example, lots of the latest medical equipment is based on Windows XP and is vulnerable to the same security flaws that have plagued XP systems for decades.
  3. Most importantly, David says, “Don’t give up. Stay focused. As a cybersecurity professional, you will have a great impact on security, industries, and society.”

The Future

There’s no doubt David is a huge talent, and we’re all very lucky he’s on the right side of hacking. But his story sheds a light on the state of automotive product security: it’s easier than we thought to breach many of today’s advanced smart cars’ security.

Tesla, as opposed to other vehicle manufacturers, built its product on software, and is expected to have the cybersecurity controls in place to manage the codebase developed in-house. For every Tesla, there are thousands of other devices and vehicles that are relatively new to the cybersecurity game, and are still struggling to secure their software supply chain from malicious players. This makes most vehicles that much easier to exploit – even without David’s expertise.

At Cybellum, our mission is to equip product security teams with a powerful product security platform that addresses new and emerging cyber threats, so it won’t come to that.

You can listen to this and other Left to Our Own Devices episodes at https://cybellum.com/podcasts/

To learn more about how Cybellum helps protect vehicles and other devices, visit Cybellum.com.

Sponsored by Cybellum


New NHTSA chief: Agency to scrutinize auto-driver technology

NHTSA administrator Steven Cliff, during an interview with The Associated Press, Wednesday, June 29, 2022 in Washington. Credit: AP Photo/Dan Huff The new head of the government’s road safety agency says it will intensify efforts to understand the risks posed by automated vehicle technology so it can decide what ...

View more: New NHTSA chief: Agency to scrutinize auto-driver technology

Laser writing may enable 'electronic nose' for multi-gas sensor

Alexander Castonguay (left), graduate student in the laboratory of Assistant Professor Lauren Zarzar, and Assistant Professor Huanyu “Larry” Cheng used this laser set up for their multi-disciplinary collaboration. Credit: Kelby Hochreither/Penn State. Environmental sensors are a step closer to simultaneously sniffing out multiple gases that could indicate disease or ...

View more: Laser writing may enable 'electronic nose' for multi-gas sensor

Researchers caution beachgoers ahead of white shark season

A shark is seen swimming across a sand bar on Aug. 13, 2021, from a shark watch with Dragonfly Sportfishing charters, off the Massachusetts’ coast of Cape Cod. Megan Winton, of the Atlantic White Shark Conservancy, said Wednesday, June 29, 2022, that July is when white sharks appear in ...

View more: Researchers caution beachgoers ahead of white shark season

Webb telescope: NASA to reveal deepest image ever taken of universe

A wonder of engineering, Webb is able to gaze further into the cosmos than any telescope before it thanks to its enormous primary mirror and its instruments that focus on infrared, allowing it peer through dust and gas. NASA administrator Bill Nelson said Wednesday the agency will reveal the ...

View more: Webb telescope: NASA to reveal deepest image ever taken of universe

Team reassesses greenhouse gas emissions from African lakes

Credit: CC0 Public Domain The emissions of carbon dioxide (CO2) and methane (CH4)—the most potent greenhouse gases—into the atmosphere from African lakes are reassessed in a study undertaken by the Laboratory of Chemical Oceanography (FOCUS research unit / Faculty of Science). While it was previously assumed that these lakes ...

View more: Team reassesses greenhouse gas emissions from African lakes

Business sentiment worsens for July amid inflation, recession woes

SEOUL, June 30 (Yonhap) — South Korea’s business sentiment worsened for July amid deepening concerns over high raw materials prices and a global economic downturn, a central bank poll showed Thursday. The business sentiment index (BSI) for local companies came to 82 for July, down 5 points from the previous ...

View more: Business sentiment worsens for July amid inflation, recession woes

When should I buy my kid a Nintendo Switch?

Source: iMore As a parent or guardian in this day and age, it’s likely that you will be asked at some point to buy your kid(s) a Nintendo Switch. And although Nintendo is known for its family-friendly games and kid-friendly systems, it still may be a tough choice to decide ...

View more: When should I buy my kid a Nintendo Switch?

Experts Provide Online Data Protection Advice Following Roe v. Wade Overturn

(Photo : Photo by OLIVIER DOULIERY/AFP via Getty Images) Legal and information technology (IT) experts are debating how state-wide reproductive control laws would affect personal information protection following the overturn of the landmark Roe v. Wade case. Digital Evidence Is Still The Primary Documentation Used By Prosecutors in Violations of Reproductive ...

View more: Experts Provide Online Data Protection Advice Following Roe v. Wade Overturn

As iPhone turns 15, old prototypes could fetch $500,000

Being mindful can improve your interactions with co-workers, new study finds

Cooking up a conductive alternative to copper with aluminum

FCC commissioner demands Apple and Google remove TikTok app

Bitcoin ‘Optimist’ Alex Adelman Calls NFTs ‘Perfect Intersection of Culture and Technology’

Redmi Note 11 finally gets Android 12 update

Choose Your Own EK-Quantum, The Surface S360 Or Surface X360M

Is Nissan Killing Off the Titan? Reportedly, Yes

First national guidelines established for integrated student support programs in K-12 schools

Shimano 105 Goes Electric, Possibly Their Biggest Revamp Ever

SpaceX's Starlink Satellite Broadband Is Speeding Up, Ookla Says

You Can Finally Afford to Buy a GPU Again


Top Car News Car News