Originally published on BleepingComputer, April 26, 2022
Interview with cyber boy wonder, David Colombo
Cybellum had the pleasure of interviewing David Colombo, the cyber boy wonder of Germany, and founder of Colombo Technologies for our podcast, Left to Our Own Devices. Not yet 20 years old, the prolific cyber researcher already has to his credit the exposure of numerous critical vulnerabilities, including the honor of hacking his way into Tesla vehicles!
Since we analyze vehicle vulnerabilities on a daily basis for our product security platform , we couldn’t wait to hear more about how a young hacker managed to breach Tesla systems. We’ll elaborate on how he did that a little later.
Of course, David, being an ethical hacker, tries to make the world a better place by immediately sharing his findings with the world, enabling the security research community to fix cyber issues before actual breaches occur.
So, how did it all start?
Quick Study in Cyber
David was just a kid when he got interested in computing. Receiving his first laptop on his 10th birthday, he was immediately enthralled by how it worked and especially, of course, the internet. Quickly mastering computing and networking basics, David began his journey into software development. Examining his own code, it suddenly dawned on him that there were vulnerabilities that could enable an outsider to run code on his own laptop without his knowledge. That was the eureka moment that sparked his passion for research into vulnerabilities across applications, operating systems, and devices.
By the time he entered his teens, David was already figuring out how to protect companies, hospitals, and other computer users and networks. He found that activity a lot more exciting than spending time in the classroom. By 10th grade, he located a mentor from the German Chamber of Commerce who was able to get his school to give him permission to show up only one or two days a week, allowing him to dedicate the rest of his time to building up his computing and cyber skills.
At the tender age of 16, David started his own cybersecurity company. But being too young to legally engage in commerce, his father had to sign the consulting contracts on his behalf. At 18 David finally became legally able to conduct cyber business on his own.
Tu Tesla, Mi Tesla
So how did David Colombo, at the tender age of 19, hack into ultra-high tech Tesla cars?
Before describing the process, David assures us that since he’s in the business of ethical hacking, everything he tells us is now public and will not compromise Tesla cars, or their owners in any way. So, here’s the story.
Just last year, David was starting to perform a security audit for a French company. He took a look at the code that constituted a data logger that was being used by Tesla. The data logger shows where the Tesla has been driven, how fast, and other such usage statistics. But to his amazement, David could easily find out where the CEO of the French company was driving his own Tesla, along with other private information.
Being a Tesla fan, he started reading source code from GitHub that went into other Tesla components. Ach du lieber! He discovered that open source software stores the digital car keys in a way that can be accessed easily from the outside. And not encrypted at all. David could easily obtain the digital car keys to any car. What could he do with those keys? Just remotely disable the car’s security mode, unlock the doors, honk the horn – “little” things like that. If the owner’s garage door opener was connected to the car, David could open the garage door, too – in Finland, in Switzerland, anywhere – all from his laptop in Germany!
Was this a fluke? Were more than one or two cars involved? David quickly ran an internet search. Nein. David easily found more than 20 cars that he could breach.
Immediately, he contacted Tesla via email and reported the alarming vulnerability.
How did Tesla respond? Right away. But David received only a curt reply, “We are investigating.” However, the next day, the OMG! email came. “We took a good look at what you found and we are immediately revoking access tokens and notifying the owners. Thank you so much for letting us know!”
David’s young age does not do justice to his great accumulation of cyber knowledge and experience. Today, his consulting expertise is in great demand. He shares with us some of the insights that he has collected.
- The shortage of cybersecurity personnel and expertise is dire. Automotive, medical, and other industries need lots of dedicated people who are passionate about cybersecurity.
- Even “ancient” vulnerabilities continue to afflict the secure operations of modern, connected machines. For example, lots of the latest medical equipment is based on Windows XP and is vulnerable to the same security flaws that have plagued XP systems for decades.
- Most importantly, David says, “Don’t give up. Stay focused. As a cybersecurity professional, you will have a great impact on security, industries, and society.”
There’s no doubt David is a huge talent, and we’re all very lucky he’s on the right side of hacking. But his story sheds a light on the state of automotive product security: it’s easier than we thought to breach many of today’s advanced smart cars’ security.
Tesla, as opposed to other vehicle manufacturers, built its product on software, and is expected to have the cybersecurity controls in place to manage the codebase developed in-house. For every Tesla, there are thousands of other devices and vehicles that are relatively new to the cybersecurity game, and are still struggling to secure their software supply chain from malicious players. This makes most vehicles that much easier to exploit – even without David’s expertise.
At Cybellum, our mission is to equip product security teams with a powerful product security platform that addresses new and emerging cyber threats, so it won’t come to that.
You can listen to this and other Left to Our Own Devices episodes at https://cybellum.com/podcasts/
To learn more about how Cybellum helps protect vehicles and other devices, visit Cybellum.com.