Analyzing vehicle vulnerabilities is pivotal for cybersecurity. With the many hackers looming in the shadows, trying to get in, only a few are successful. David Colombo is one of them, but he is a different kind of hacker– he is an ethical one. Through his hacks, he tries to make the world a better, more secure place by sharing his findings and enabling the security research community to fix cyber issues before actual breaches occur.
So, how did it all start? His recent interview on Left to Our Own Devices shares his story and insights,
Quick Study in Cyber
David was just a kid when he got interested in computing. Receiving his first laptop on his 10th birthday, he was immediately enthralled by how it worked and especially, of course, the internet. Quickly mastering computing and networking basics, David began his journey into software development. Examining his own code, it suddenly dawned on him that there were vulnerabilities that could enable an outsider to run code on his own laptop without his knowledge. That was the eureka moment that sparked his passion for research into vulnerabilities across applications, operating systems, and devices.
By the time he entered his teens, David was already figuring out how to protect companies, hospitals, and other computer users and networks. He found it to be a lot more exciting than spending time in the classroom. By 10th grade, he found himself a mentor from the German Chamber of Commerce who was able to get his school to permit him to show up only one or two days a week, allowing him to dedicate the rest of his time to building up his computing and cyber skills.
At the tender age of 16, David started his own cybersecurity company. But being too young to legally engage in commerce, his father had to sign the consulting contracts on his behalf. At 18, David finally became legally able to conduct cyber business on his own.
Tu Tesla, Mi Tesla
So how did David Colombo, at the tender age of 19, hack into ultra-high tech Tesla cars?
Before describing the process, David assures us that since he’s in the business of ethical hacking, everything he tells us is now public and will not compromise Tesla cars, or their owners in any way. So, here’s the story.
Just last year, David was starting to perform a security audit for a French company. He looked at the code that constituted a data logger that was being used by Tesla. The data logger shows where the Tesla has been driven, how fast, and other such usage statistics. But to his amazement, David could easily find out where the CEO of the French company was driving his own Tesla, along with other private information.
Being a Tesla fan, he started reading source code from GitHub that went into other Tesla components. Ach du lieber! He discovered that open-source software stores the digital car keys in a way that can be accessed easily from the outside. And not encrypted at all. David could easily obtain the digital car keys to any car. What could he do with those keys? Just remotely disable the car’s security mode, unlock the doors, honk the horn – “little” things like that. If the owner’s garage door opener was connected to the car, David could open the garage door, too – in Finland, in Switzerland, anywhere – all from his laptop in Germany.
Was this a fluke? Were more than one or two cars involved? David quickly ran an internet search. Nein. David easily found more than 20 cars that he could breach. Immediately, he contacted Tesla via email and reported the alarming vulnerability.
How did Tesla respond? Right away. But David received only a curt reply, “We are investigating.” However, the next day, the ‘OMG’ email came. “We took a good look at what you found, and we are immediately revoking access tokens and notifying the owners. Thank you so much for letting us know!”
David’s young age does not do justice to his great accumulation of cyber knowledge and experience. Today, his consulting expertise is in great demand. He shares with us some of the insights that he has collected:
- The shortage of cybersecurity personnel and expertise is dire. Automotive, medical, and other industries need lots of dedicated people who are passionate about cybersecurity.
- Even “ancient” vulnerabilities continue to afflict the secure operations of modern, connected machines. For example, lots of the latest medical equipment is based on Windows XP and is vulnerable to the same security flaws that have plagued XP systems for decades.
- Most importantly, David says, “Don’t give up. Stay focused. As a cybersecurity professional, you will have a great impact on security, industries, and society.”
There’s no doubt David is a huge talent, and we’re all very lucky he’s on the right side of hacking. But his story sheds light on the state of automotive product security: it’s easier than we thought to breach many of today’s advanced smart cars’ security.
Tesla, as opposed to other vehicle manufacturers, built its product on software and is expected to have the cybersecurity controls in place to manage the codebase developed in-house. For every Tesla, there are thousands of other devices and vehicles that are relatively new to the cybersecurity game and are still struggling to secure their software supply chain from malicious players. This makes most vehicles that much easier to exploit – even without David’s expertise.
Written by David Leichner (CMO), Shlomi Ashkenazy (Head of Brand) and Rafi Spiewak (Director of Content) at Cybellum