Hacker, 19, takes control of more than 20 Teslas through a flaw in third-party software

A 19-year-old hacker claims to have taken over more than 20 Tesla vehicles in 10 countries through a software vulnerability.

David Colombo, who is based in Germany, shared the feat on Twitter saying the fault does not fall on the Elon Musk-founded company, but on  owners of the Teslas.

The flaw is said to have been found in third-party software that allowed Colombo to unlock doors and windows, start the cars without keys and disable security systems.

He also tweeted the vulnerability lets him use the internal Tesla cameras to spy on the driver.

Colombo told DailyMail.com that ‘it is not a vulnerability in Teslas infrastructure but indeed caused by the Tesla owners and a third party,’ he said, confirming it is a third part software that is at fault.

‘I’m in contact with the Tesla Product Security Team as well as the third party maintainer to coordinate disclosure and get the affected owners notified as well as a mitigation/patch for the vulnerability rolled out.’

The issue with the software is how it stores the Tesla owner’s information that is needed to link the cars to the program.

Scroll down for video 

In the tweet thread, he states it is possible for him to remotely unlock the doors and start driving the Tesla.

However, he is unable to ‘intervene with someone driving (other than starting music at max volume or flashing lights).’

Although Colombo has not provided details of the software, Twitter users are making their own guesses.

Tyler Corsair tweeted: ‘These owners utilized an open-source project called Teslamate and then configured it incorrectly (partially the dev’s fault for setting bad default configurations) so that anyone could access it remotely.’

Teslamate is a self-hosted data logger and visualization tool for your Tesla.

Corsair posted several updates from similar third-party software companies, stating they had seen Tesla accounts disconnect from the service – all of which was due to Colombo infiltrating the systems.

These include TezLab, TeslaFi, TeslaTip and keemut.

Corsair tweeted: ‘This seems to not be impacting all installations (seems less likely if authenticated within the last few months) which is great! Many third-party services have been impacted by this in different ways. For most, just reconnecting your Tesla Account will resolve the issue.

He continued to explain in another tweet that Colombo’s warning is not as dramatic as it may seem.

‘This security researcher (@david_colombo_) appears to be over-hyping the severity of this issue just for follows, so pretty safe to disregard their thread,’ Corsair tweeted.

Colombo told DailyMail.com in response to Corsair’s tweet: ‘I don’t think I’m trying to make this look worse at it is. 

‘But I fully understand that there’s a lot of hype and speculation around this due to the limited details I’m able to provide to the public at this point in the disclosure.’

He continued to explain that if it was not an issue than the Tesla Security team would not be investigating it.

‘If my reports to the involved parties would not have some kind of severity then the Tesla Security Team would probably not investigate this issue, the third-party maintainer would probably not release patches in connection to this and tech / cyber security reporters with access to my writeup probably would not have reported on this issue in the way they do,’ Colombo said in a direct message.