Five years ago, David Colombo dropped out of high school to become self-employed in the field of IT security. The 20-year-old now has his own company and advises companies and institutions. He rose to fame in 2022 when he was 25 Tesla– Hacked vehicles and thus drew attention to blatant security deficiencies. At the WELT Summit, he demonstrated live how easy it really is to penetrate foreign systems. WELT investigative editor Lennart Pfahler conducted the interview with him.
WELT: This crazy Tesla story – what did you do to be able to control the cars?
David Colombo: Actually, I never had anything to do with cars. The only thing that drove me was curiosity. It was also she who brought me to this area. I wanted to know how things that we all use work. I wanted to find out how digital vehicles work. I didn’t have a Tesla. The only thing I could look at was the digital infrastructure on the Tesla side, what systems are there and how they communicate. I then stumbled across various “red flags” that allowed me to do stuff.
WELT: What is such a “red flag”? And how do you get from there to being able to manipulate?
Colombo: Parts of the code were open source, so I was able to read through the whole program code, and when you see that API keys are stored and then not encrypted, you listen up: If they are not encrypted in the database, you might be able to use them.
WELT: You are a security expert, companies hire you to check their systems. That’s how you came across the Tesla case.
Colombo: We do ethical hacking or penetration testing. This is comparable to not letting a car onto the road without a crash test. But in the digital realm, we build applications and send them out without being looked at closely. What companies can do is hire these hackers and say, take this apart and see if you can find anything.
WELT: What was the moment when you thought: This is more than a small security hole. This is something big that can interest the world?
Colombo: In the first step, it was driving data that was visible. Then I thought I could also send commands like “open the doors” or “play music” and gave it a try. I looked up data from various Tesla vehicles and then found someone who tweeted about their vehicle. There was someone in Ireland. I wrote to him and asked if I could try something. He said: “Yes, do it” and was then very surprised when his Tesla honked and opened the doors. I thought to myself: Okay, now we have a little problem. When that also worked for the second and third vehicle, I knew: Now we have a very big problem.
WELT: How did Tesla react?
Colombo: When we first contacted them, they responded relatively briefly and said we would take a look. Three hours later the e-mail came: We’ll take care of it now. Overall communication was very brief, just a few emails back and forth.
WELT: That made headlines. Your life has changed all of a sudden. What are you doing today?
Colombo: After that it was all around the world – for example to Dubai for the world government summit, to Tel Aviv to many start-ups or to Silicon Valley to Google, Netflix and Visa and all these big companies. Because as far as Tesla is concerned, it can also be interesting for other large corporations.
David Colombo (left) is a luminary. He has mastered the art of hacking and often demonstrates the vulnerabilities of software systems
What: Pascal Rohé
WELT: Would Tesla have been able to manipulate brakes or other vital functions?
Colombo: Fortunately not, and I’m very happy about that. There were no external influences on critical systems such as the steering. It was not possible to intervene in the steering wheel while driving.
WELT: I have read interviews of yours, in which you report on sometimes hair-raising cases. One concerns the controls of airplanes.
Colombo: A few years ago, safety expert Chris Roberts was on a United Airlines flight. He looked around the plane. There must have been a box he could plug into. 30 minutes later he checked parts of the plane. This shows that IT security is no longer just about apps and data encrypted as ransomware. In the meantime, human lives are actually at stake when hospitals are affected or aircraft. I’ve had multiple conversations with Chris Roberts 2022. He said that even today, the issue of critical infrastructure is not given the priority it should have in various companies in the boardroom.
WELT: What are the everyday things you are confronted with when you advise companies or state actors?
Colombo: There are companies that have forgotten – I can’t explain it any other way – that they have servers lying around that haven’t received any updates for years. However, these shadow IT systems are still connected to the network. Another topic is the software development process. It’s very lucrative for a hacker: I hack a software development company, put my malware in there, and then it’s distributed to their customers. We need to do better here.
WELT: We talked about ethical hackers. On the other side are cybercriminals. Would you earn more there?
Colombo: If you look at the revenue that ransomware groups make, definitely. They are now structured like companies. Such a ransomware unit makes tens of millions of dollars a month. But we are here to make the world a better place and increase cyber resilience.
WELT: What advice would you give companies on how to protect themselves? When the ransom is demanded, is it already too late?
Colombo: It depends on the preparation. You have to have backups and an incident response plan. By the time a ransom is demanded, the hackers are already in the systems and in control of the data. When the time comes, you have to take the “endpoint and detection response” seriously and recognize an attack immediately in order to be able to react effectively. When it comes to ransomware attacks, it’s not as if a company is encrypted within an hour. There are usually two or three days in between. So you have enough time to react.