Meet the Tesla Hacker

Article by CNG Editor

Cyber News Global Editor-in-Chief, Elspeth Reilly, had the pleasure and honour of sitting down with David Colombo who first gained notoriety as the Tesla Hacker when he ethically, and with the permission of several Tesla vehicle owners around the world, hacked into their car’s systems to demonstrate the holes in Tesla’s cybersecurity measures. Now he travels the world as a consultant, keynote speaker, and as a champion of cybersecurity awareness and education

What was your main motivation behind your initial investigation into Tesla?

David Colombo: It was only curiosity – that’s what kick started my career in technology. I got my first laptop for my tenth birthday – “how does this work?”. So, curiosity got me started, and it is the same thing that led to the Tesla story.

Because I was thinking about how all these cars are now fully connected. If we go back 80 years, there was no technology in a car — it wasn’t a digital car. Then, we had cars with some interfaces like Wi-Fi, TSM (Trailer Sway Mitigation), and cameras. Now we are connecting those cars to so much more, they’re now connected to other cars, to smart roads, to traffic lights, but all of them also communicate back to the manufacturer.

Traditionally if we look at how cars are being hacked, it’s one car and one hacker that is near that car, attacking local attack surfaces. It got me thinking, why should someone just be near that one car, attack that one car?

If all those cars now constantly communicate back to the manufacturer, someone would be able to [access that communication] route, and they would be able to control multiple cars around the world — completely remotely. So, that was a thought I had in the back of my mind.

That thought led to “how does it work now?”, “How do those cars communicate?”, What interfaces are there?”, “What does the backend infrastructure look like?”

That’s remarkable that this investigation was spurned on purely by curiosity, but it led to this great discovery, a gap in their technology. You mention that everything began on your 10th birthday when you received your first laptop, was this what ignited your interest in cyber? Opening your first laptop opened a whole new world for you?

David Colombo: Exactly. At first it was only coding because I was curious “how does it work?” It’s not magic, its only technology so somehow it must work.

Then, I figured out that I’m growing up in the best time ever because I can leverage technology to learn about how it works. You can just open Google and learn about all these things – I thought that was just wonderful. Then I figured out that everything is code, and so I thought that I better start with coding because that’s how all of these things are built.

So, I really started my tech journey back then with only coding, understanding how it works, then building all of these things: building websites, building apps, and it’s really cool if you’re an eleven-year-old and you can run your own apps and say, “I made this!” That was really fascinating.

My interest in Cybersecurity came two or three years later when I discovered my first vulnerability. I was coding, understanding the basics, and then I came across my first vulnerability, and I was thought “this is super interesting, now I can do things I shouldn’t be able to do.” And on one hand, it’s cool to learn about cybersecurity and hacking and all of these things. But on the other hand, you can already see that cybersecurity is going to be one of the most pressing challenges moving forward when we digitalize our whole lives; starting with smart homes, autonomous cars, even creating infrastructure that is fully digital. So, that really grabbed my attention and my passion; I spent like all my time on it, even though school was the next day — I didn’t care, I would be awake until 4:00 in the morning, sitting in front of my screen, coding and tagging.

“People always ask me: how do we make the defensive part [of cybersecurity] cool? Of course, hacking into something is cool, but how do we make the defensive part cool? And I’m thinking, what do you mean make it cool? It is cool. We just need to get it out there and show it to people.”

David Colombo
You’re incredibly passionate about cybersecurity and technology! I read an article which mentioned that you and your father protested to allow you to attend school for only two days a week, was this so that you could better pursue these passions?

David Colombo: Definitely. So, that was what followed. Now I was into cyber security, I was spending all my time on it. Two, three years in, I was sitting in school in Germany, 10th grade, and I asked myself, “why should I sit here in Latin, if I could be out there helping to protect those organizations?” So, I decided I have to quit school. For me, it wasn’t even a question. What is going to be more important within the next decade? Cybersecurity or Latin, right? “I have to get out of this.” According to German law, you have to go to school until you’re 18.

I was thinking that if there’s a bug in my code, I don’t sit back and relax — I get into it and I fix it. So, I was trying to apply the same principle to my schooling until I found someone at the Chairman Chamber of Commerce who understood what I was saying.

I lived in the middle of nowhere, about 200 people in the town. So, he was driving out there, and it took him like two hours to get there, just to speak with me and to take a look at what I’m doing. Then, we finally got that special permission [which allowed me] to only go to school one or two days a week and use the rest of my time to, to further go ahead with my pursuit of cybersecurity.

It’s very clear that this is your passion, and it’s incredible that you developed it at such a young age. You said earlier that we’re living in a digital world, and it’s only going to get more and more connected —how do you think we should get the younger generation more interested in cybersecurity?

David Colombo: We need to show it to them. That’s that’s the only thing we have to do. Cybersecurity itself, is such a fascinating field. It’s really interesting, and there are so many cool things happening, but not too many people know about them. People always ask me: how do we make the defensive part of cybersecurity cool? Of course, hacking into something is cool, but how do we make the defensive part cool? And I’m thinking, what do you mean make it cool? It is cool. We just need to get it out there and show it to people, right?

For example, if hospitals are getting attacked from cyber threats and we have an incident response team rushing to the hospital defending against the attack and figuring out what happened — we just need to show that all of these exciting things are happening to the younger generations to ignite their interest. Once we are able to ignite it and spark it up, it’s going to be their passion!

Absolutely, it all comes down to education and awareness. You bring up an interesting point about hospitals getting attacked. It’s a great example to shed a light on because being the good guy in that situation is cool, and it is exciting, and it’s great to be able to help people, to step in, and to block those attacks from occurring. We have to demonstrate that cyber resilience is exciting.

David Colombo: Exactly. We also must show these young people who have extraordinary skills where to go, where they can prove themselves — we need to guide them to where they can actually use their skills for good. We need to talk about bounty programs, or about Capture The Flag (CTF) events where they’re able to prove their skills and be in a great community rather than going to the dark side of cyber. If we go back to when I started in cybersecurity, there was not much available. That is something that luckily is changing now. If we take a look at Hacker One and Buck Route and CTF events, these opportunities are happening, but we need to direct people towards them and show them; there are places for them if they have exceptional skills, if they’re interest in the topic, there are ways to test their skills, to prove their skills in an environment where it’s safe and where it’s legal.

That’s an excellent point — it’s vital to not only create opportunities for people, and especially younger people, to be able to utilise their skills and expertise, but to broadcast them effectively so that people know such opportunities exist. Speaking about the future generations: what do you think personally is future of cyber and how is going to in turn going to affect the cyber threat landscape?

David Colombo: Cyber is definitely going continue to grow as an industry and, with a lot more focus on the cyber-physical things that we are connecting. We are now talking about building Smart Cities. Who’s going to secure them? If you go on LinkedIn right now and you want to find Smart City security engineers — it doesn’t exist yet. We are going to see a lot of automation, but automation can only do so much; it can’t replace a human because cybersecurity is such a complex topic. Because of this, we need a lot more people into the workforce.

We need to start tackling the 3.5 million unfilled cybersecurity positions. It boils down to accessibility.

People don’t see these opportunities and so they don’t get access to them. That’s what we need to change to bring it to the attention of a lot more people, show those pathways, get them into the field. Because every major enterprise is searching for cyber security experts.

I was recently in Germany’s Business newspaper Handelsblatt where there was an article saying that “we are at the breaking point.” In Germany, a lot of organizations are getting hacked and of course, they need to call up cyber security companies to help them recover. But a lot of the time now when that they call up these cyber security companies, these companies tell them “Sorry, we don’t have the capacity to help you.” Which is creating major issues for those organizations in need. So, across the board, whether on the offensive side or on the defensive side, we need experts.

Also, when developing cybersecurity capabilities, something that I always like to point out is that I don’t even have a Tesla myself, so if you have cybersecurity researchers that are really eager to learn automotive cybersecurity, where do they do it?

How many people have the ability to buy a $70,000 car and risk breaking it while doing their research? We need to create environments where we give people access to these systems.