A 19-year-old security researcher and hacker has revealed he was able to control more than 125 Teslas around the world without their owners' knowledge.
David Colombo used a third-party app that allows owners to remotely unlock doors, open windows and even start keyless driving among other actions.
The IT specialist has yet to reveal the full details of the hack as he says the exploits have yet to be fully fixed, but he did provide some information on Twitter.
"I now can remotely run commands on 25+ Teslas in 13 countries without the owners knowledge," he wrote.
Subsequently, in an interview with Wired, Colombo revealed the number of cars impacted had increased, giving him access to 125 vehicles in countries such as the UK, the US, Germany, Denmark and Canada.
"This includes disabling Sentry Mode, opening the doors/windows and even starting Keyless Driving. I could also query the exact location, see if a driver is present and so on. The list is pretty long," he wrote on social media.
"And yes, I also could remotely rick roll the affected owners by playing Rick Astley on YouTube in their Teslas."
While Colombo admitted he wasn't able to remotely control the steering, or the acceleration and braking of the cars, he still felt his access could cause serious issues.
"I think it's pretty dangerous, if someone is able to remotely blast music on full volume or open the windows/doors while you are on the highway," he wrote.
"Even flashing the lights non-stop can potentially have some (dangerous) impact on other drivers."
He explained those were the reasons he was waiting for the issues to be fixed before revealing the exact details of his hack.
With the hack, Colombo would be able to steal any of the affected cars if they were nearby.
He has since confirmed Tesla's Security Team have been in contact with him and are investigating the issue.
Colombo told Wired the problems he found weren't Tesla's fault, but those of the third-party app. It was related to how it uses Tesla's Application Programming Interface (API) while leaving the owners' private API key exposed on the internet.
