A 19-year-old cybersecurity researcher who remotely accessed several Teslas via a third-party flaw has devised a new tactic: hacking the car owners' email addresses to notify them that their vehicles are vulnerable.
David Colombo discovered a flaw in a piece of third-party open source software earlier this month, allowing him to remotely hijack some functions on about two dozen Teslas, such as opening and closing doors or honking the horn. He discovered a flaw in Tesla's software for the digital car key that allowed him to learn the email addresses of the affected car owners while attempting to notify them.
The flaw, according to Colombo, was in a Tesla application programming interface, or API. Following his initial discovery, a Twitter user suggested that contact information for the affected owners could be found in the code that allows two pieces of software to communicate with each other, also known as an API endpoint.
"Once I figured out the endpoint, I was able to carry the email address associated with the Tesla API key, the digital car key," Colombo explained in an interview with Bloomberg Television on Monday. "You should not be able to transport sensitive information, such as an email address, using an access that has already expired or been revoked."
The teenager, from Dinkelsbühl, Germany, said he has shared the additional vulnerability with Tesla, and the company's engineers have written a fix to prevent it from happening in the future.
Tesla didn't respond to a request for comment. Colombo said his additional discovery should be eligible for a "bug bounty" from Tesla -- consistent with the company's policy -- but officials there haven't confirmed an amount with him. He joked that he hopes the sum is big enough to cover the coffee bill he's amassed working on the original flaw the last two weeks.