A few years ago, a hacker managed to take advantage of vulnerabilities in Tesla’s servers to take access & control over the automaker’s entire fleet.
In July 2017, Tesla CEO Elon Musk got on stage at the National Governors Association in Rhode Island and confirmed that a “fleet-wide hack” is one among Tesla biggest concerns because the automaker moves to autonomous vehicles.
He even presented a wierd scenario that would happen in an autonomous future:
“In principle, if someone was ready to say hack all the autonomous Teslas, they might say – I mean even as a prank – they might say ‘send all of them to Rhode Island’ [laugh] – across the United States… which would be the top of Tesla & there would be tons of angry people in Rhode Island.”
What Musk knew that the general public didn’t was that Tesla got a taste of that really happening just a couple of months before his talk.
Big Tesla Hack
Back in 2017, Jason Hughes was already known in-the Tesla community under his WK057 alias on forums.
He was an early member of the Tesla “root access” community, a gaggle of Tesla owners who would hack their own cars to urge more control over them & even unlock unreleased features.
At the time, Hughes was using his knowledge to tinker with salvaged Tesla vehicles and build off-grid energy storage systems & electric conversion kits.
He turned the hobby into a business selling Tesla parts from salvaged vehicles and building his own controllers to assist people make cool projects out of these parts.
The practice, called as whitehat hacking, wasn’t his main focus, but like most tech companies, Tesla features a bug reporting system in place to reward people that find and report vulnerabilities.
He would occasionally submit bugs through that system.
After Tesla began to give customers access to more data about Supercharger stations, mainly the power to ascertain what percentage chargers were currently available at a selected charging station through its navigation app, Hughes decided to poke around & see if he could expose the info .
He told Electrek:
“I found a hole within the server-side of that mechanism that allowed me to basically get data for each Supercharger worldwide about once every few min .”
The hacker shared the info on the Tesla Motors Club forum, and therefore the automaker seemingly wasn’t happy about it.
Someone who seemed to be performing at Tesla posted anonymously about how they didn’t want the info out there.
Hughes responded that he would be happy to debate it with them.
20 minutes later, he was on a call with the head of the Supercharger network & therefore the head of software security at Tesla.
They kindly explained to him that they might prefer for him to not share the info , which was technically accessible through the vehicles. Hughes then agreed to prevent scraping & sharing the Supercharger data.
After reporting his server exploit through Tesla’s bug reporting service, he received a $5,000 reward for exposing the vulnerability.
With now having more experience with Tesla’s servers and knowing that their network wasn’t the foremost secure, to mention the smallest amount , he decided to hunt for more bug.
After some poking around, he managed to seek out a bunch of small vulnerabilities.
The hacker told Electrek:
“I realized a couple of of those things might be chained together, the official term may be a bug chain, to gain more access to other things on their network. Eventually, I managed to access a kind of repository of server images on their network, one among which was ‘Mothership’.”
Mothership is name of Tesla’s home server wont to communicate with its customer fleet.
Any quite remote commands or diagnostic information from the car to Tesla goes through “Mothership.”
After downloading & dissecting the info found within the repository, Hughes started using his car’s VPN connection to nudge Mothership. He eventually landed on a developer network connection.
That’s when he found a bug in Mothership itself that enabled him to authenticate as if it had been coming from any car in Tesla’s fleet.
All he needed was a vehicle’s VIN number, and he had access to all or any of these through Tesla’s “tesladex” database because of his complete control of Mothership, and he could get information about any car within the fleet and even send commands to those cars.
At the time, I gave Hughes the VIN number of my very own Tesla Model S, and he was ready to give me its exact location and the other information about my very own vehicle.
It’s at that time that Hughes decided to compile a bug. Since he was already recently in touch with Tesla’s head of software security, who was Aaron Sigel at the time, he decided to email him directly together with his finding.
This was an enormous deal.
Within minutes of receiving that email thereon Friday afternoon in March of 2017, Sigel called Hughes.
Now back then , Tesla’s autonomous capabilities were far more limited than the driver-assist features found in Tesla’s Autopilot & Full Self-Driving packages now.
Therefore, Hughes couldn’t really send Tesla cars driving around everywhere like Tesla’s CEO described during a strange scenario few months later, but he could “Summon” them.
In 2016, Tesla released its Summon feature, which enables Tesla owners to remotely move their cars forward or backward a couple of dozen feet without anyone in them.
Until Tesla’s newer “Smart Summon” update, it had been primarily wont to get cars in and out of tight spaces and garages.
While on the phone, Hughes then asked Sigel to offer him the VIN number of the Tesla vehicle closest to him. The hacker proceeded to “summon” the car, which was in California, from his home in North-Carolina.
At which point Hughes jokingly said that this bug report should be worth a fresh Tesla.
He didn’t end up getting new Tesla, but the automaker awarded him a special $50,000 bug report reward — several times above the max official bug reward limit:
Tesla used the info provided by Hughes to secure its network.
That Friday, they ended up working overnight & managed to repair the bug in Mothership within a couple of hours.
After a couple of days, they fixed the whole bug chain the hacker exploited to remotely gain control of Tesla’s entire fleet.
Tesla Cybersecurity Today
The good news is that Tesla has since significantly increased its effort to secure its network and overall cybersecurity.
The automaker increased its max payout per reported bug to $15,000 in 2018, and it’s ramped up its security team also as its relationship with hackers through participation in hacking conferences.
Over the previous couple of years, Tesla has brought its cars as targets within the popular Pwn2Own hacking competition.
David Lau, Vice-President of auto software at Tesla, recently commented on the effort:
We develop our cars with the very best standards of safety in every respect, and our work with the safety research community is invaluable to us. Since launching our bug bounty program in 2014 — the 1st to incorporate a connected consumer vehicle — we’ve continuously increased our investments into partnerships with security researchers to make sure that each one Tesla owners constantly enjoy the brightest minds within the community. we glance forward to learning about, and rewarding, great add Pwn2Own in order that we will still improve our products and our approach to designing inherently secure systems.
Also, Tesla owners will supposedly soon get 2-factor authentication for his or her Tesla account.
While this was a huge breach exposing an enormous vulnerability in Tesla network, it’s also an honest example of the importance of whitehat hackers and for them to focus more on the automotive industry as cars become increasingly more connected.
Instances like this important breach are literally putting Tesla during a far better position within the industry.
The automaker’s products are kind of becoming the cool new thing for hackers to hack just like the iPhone once was.
As long because the good guys, like Jason, do it, it’ll help Tesla stay ahead of bad guys & avoid the possible nightmarish scenario of self-driving vehicle attacks described by Elon.