Can A Tesla Be Hacked?

Tesla represents a sneak glimpse at the future of motoring. Elon Musk’s team has forged a path with fully electric vehicles that, one day, will be able to run anonymously. They are the first to be attacked by bad actors wanting to profit from unauthorized access to the Tesla systems.

As recently as 2022, there have been instances where Teslas have been hacked. However, in each case, Tesla has responded decisively and issued software patches to eliminate the problem. However, any computer system with a vulnerability will be hacked by a hacker who discovers the weakness. 

A potential hacker can target any vehicle manufacturer who communicates with their vehicles or issues software updates. Tesla prides itself on remote updates; however, the company is also very active in testing the integrity of the software and its ability to withstand hacking attempts.

How Can a Tesla Be Hacked?

Elon Musk, the leader at Tesla, has stated that one of his biggest concerns is a fleet-wide hack of Tesla, mainly as the technology develops to the state when the car will become fully autonomous.

Over the last period, there have been a few instances when hackers bypassed the Tesla software security protocols and controlled some of the car’s systems.

Some examples of the breaches include:

The Hack that Started It All

In 2017, a Whitehat hacker (ostensibly one of the good guys), Jason Hughes, alias WK057, managed to access the Tesla “Mother Ship,” the name given to Tesla’s central server.

Once he entered, he found a bug in the Mothership software, which allowed him to authenticate any software or message as if it was coming from any car in the Tesla fleet.

The access allowed him to get information about any car in the fleet, including its exact location, and even send commands to those cars.

If a malevolent hacker had found this access, the damage could have been ruinous. 

Within minutes of making the hacking known, he received a phone call from Aaron Sigel, who at that time was Tesla’s head of software security.

While he was on the phone with Sigel, Hughes asked for the VIN of the Tesla nearest to Sigel.

Hughes then summonsed that the Tesla with the summon car feature to the car, situated in California, from North Carolina. To Sigel’s horror, the car started moving!

Tesla awarded Hughes a special $50,000 bug report reward which was many times larger than the maximum official bug reward limit.

Elon Musk’s described just one possible scenario from this hack.

He said that if someone could hack all the self-drive Tesla’s, as a prank, they could order them to drive to Rhode Island – from around the country – and it would be the end of Tesla and result in a lot of outraged people in Rhode Island.

Apart from patching the vulnerabilities that enabled Jason Hughes to gain this access, Tesla has also ensured that Tesla drivers can always take control of their vehicles when on autopilot. 

The 2020 Israeli Attack Took Control of the Car

Researchers at Ben Gurion University in Beersheba, Israel, managed to insert fictitious images on a road, walls, and signs, causing Tesla cars to avoid the ghost images and brake or steer in the wrong direction.

The 2020 Bluetooth Hack Attack

In 2020 Tesla was forced to roll out a security update to prevent unauthorized access to the system via its Bluetooth functions.

A hacker showed how the Tesla Model X’s keyless entry system enabled access in under 90 seconds by accessing the Key fob firmware via Bluetooth and accessing the car’s unlock code.

The Airborne Drone Hack Attack

In 2021, two researchers created the TBONE hack.

Using a drone, the researchers proved they could implement the hack on a parked car from up to 100 meters (roughly 300 feet). The hack would work on all current Tesla models.

They developed software to exploit two weaknesses affecting the ConnMan software (ConnMan is an internet connection manager for devices in the car).

They found they could manipulate the weaknesses and take complete control of the infotainment system without anyone interacting with the system.

With the hack, they could open the car doors, move the seats, change comfort settings, play music, control the air conditioning system, and modify steering and acceleration modes. 

Although none of the TBONE exploits took control of the driving functions of the Tesla cars, it did give the hackers the ability to load software via the connection, which they could have used to affect all other Tesla cars the hacked vehicle passed.

Being able to update the software with its code also opened the possibility that, ultimately, they would have been able to take complete control of the car.

Tesla patched the software to prevent this from happing again in October 2020.

The 2022 Third Party System Hack

In January 2022, a 19-year-old German security researcher announced that he had developed hacking software to access the keyless entry and driving system. 

He enabled the hack through a third-party system to which Tesla owners had provided sensitive personal information.

With his hack, he could remotely unlock the car doors, turn on the infotainments system, open and close the doors and windows, flash the car’s headlights, and, alarmingly, activate the car’s engines to drive.

The fact that he could access 25 Tesla vehicles in more than 13 countries makes this hack a security breach that Tesla will have to address urgently.

There have been other hacking successes, but Tesla has responded swiftly and issued security patches quickly.

How Does Tesla Prevent Their Cars from Being Hacked?

Tesla is putting a lot of resources into countering the problem of hacking their vehicles. It is not a unique issue to Tesla anymore, as more and more companies are enabling over-the-air software updates and continuously exploring the possibilities autonomous vehicles potentially offer.

So far, most of the exploits have been carried out by Whitehat hackers and researchers who have cooperated fully with Tesla to fix the problem.

If a bad actor (Blackhat hacker), acting on behalf of a hostile nation-state, were able to take control of Teslas in a particular country, the chaos it would cause would be dramatic and very costly.

 Imagine if they used Teslas to block the roads to prevent the defense authorities or emergency services from responding; the consequences would be catastrophic.

Apart from a powerful internal software security team, Tesla also has two other proactive methods of improving their software.

Tesla’s Bug Reporting Service

Tesla pays for any bug (not just a hack), which is reported through their Bug reporting channels.

Successful reporters will receive up to $15,000, depending on the seriousness of the bug. 

Pwn2Own Hacking Congress

Each year Tesla [participates in the Pwn2Own Hacking Congress and challenges the attendees to hack their vehicles. The prize for successfully entering and taking control of the major systems is a brand-new Tesla.

So far, one car has been given away.

Conclusion

Any software designer who says their systems are invulnerable to hacking has probably not had a severe attack inflicted on them in the past. Hackers continually look for the slightest vulnerabilities in software, and they only need a single opening to take control.

The defenders, however, must be successful every time. The reality is that is not possible, and hacks will continue to occur. Tesla realizes the seriousness of the situation and employs considerable resources to prevent unauthorized access to its systems.