We live in the Internet of Things (IoT) era, in which virtually every facet of daily life is internet-accessible. Our medical records, spending habits, and social lives are all digitized and accessible online.
The risk of storing personal data online is that hackers will steal our data—or worse, our identities. (Don’t worry, there are things you can do to prevent this from happening and recourse in case it ever does!) But online networks store more than just personal information.
Many of our critical systems are also internet-accessible, including power grids and water treatment plants, posing threats to the livelihood of all who depend on them. As technology advances, hardware and operational technology (OT) like self-driving cars, AI, and drones are also connected to online networks and able to be controlled remotely.
So what if that control fell into the wrong hands? Podcast host Cody Johnston envisions this type of OT-hacking in this tweet from February:
“My Tesla got hacked and is doing donuts in my yard, and I can’t get in because the handles have frozen over. It is blaring La Bamba at 3am and the tires have started to melt. To be clear, this is my fault. I have no issue with Tesla.”
This hilarious scenario might sound far-fetched, but it’s more realistic than we think.
In January of 2022, a 19-year-old white-hat hacker (meaning he demonstrates how systems can be hacked to educate the public rather than defraud them) named David Colombo tinkered with third-party software used by Teslas. He was able to remotely access 25 Teslas in 13 countries.
While Colombo wasn’t able to “drive” the cars remotely (no donuts were performed), he was able to unlock the cars and disable their security systems—and even play Rick Astley through their speakers on YouTube. He could also start the cars, open the windows, and manipulate the lights, which could be distracting and dangerous for drivers.
Colombo was able to send commands to the cars because of an unsecured third-party software called TeslaMate, used by a small percentage of Teslas, controlling vehicle functions through Tesla’s API. Because of Colombo’s discovery, TeslaMate released an update preventing remote access by unauthorized users.
In his Medium post detailing how he achieved this hack, Colombo stresses that users should take security into their own hands. He suggests being cautious of whom you share credentials with and updating software often to the latest and most secure versions.
This hack underscores the vulnerability of internet-accessible tech. Colombo asked Tesla Motors CEO Elon Musk if there would still be an emergency switch to cut Tesla’s internet connectivity—an idea that was once introduced by Tesla but never realized. Musk has yet to reply to the tweet.
The European Union Agency for Cybersecurity issued a report in 2021 warning consumers of the dangers of AI in autonomous driving vehicles. The report states that AI meant to interpret traffic and road signs can be thrown off by painted-over signs or lines on the road as part of an intentional attack by threat actors.
With malicious intent, any technology that operates using AI, or was built with AI, including airplanes and industrial robots, is subject to manipulation. Without vigilance on the part of tech companies, unintended actions can be programmed into and carried out by OT.
The tech community (including people like David Colombo in Germany) continues to help consumers and hold the industry accountable to thoroughly test the security of their products against hackers.
However, consumers can also take some steps to protect their devices, Tesla or otherwise. In addition to running regular software updates and keeping credentials and personal information secure, consumers can make informed choices about the products they use by doing cursory research on a brand’s security practices.