A few years ago, a hacker managed to exploit vulnerabilities in Tesla’s servers to gain access and control over the automaker’s entire fleet.
In July 2017, Tesla CEO Elon Musk took the stage at the National Governors Association in Rhode Island and confirmed that a “float-wide hack” is one of Tesla’s biggest concerns as the automaker moves to autonomous cars.
He even presented a strange scenario that could happen in an autonomous future:
“Basically, if anyone was able to hack any autonomous Teslas, they could say – I mean just like a joke – they could say ‘send them all to Rhode Island.’ [laugh] – about the United States … and that would be the end of Tesla and there would be a lot of angry people in Rhode Island. ”
What Musk knew the audience did not do was that Tesla got a taste of what actually happened just a few months before his talk.
The Great Tesla Hack
Back in 2017, Jason Hughes was already well known in the Tesla community under his WK057 alias on the forums.
He was an early member of the Tesla “root access” community, a group of Tesla owners who would hack their own cars to gain more control over them and even unlock unreleased features.
At the time, Hughes was using his knowledge to think about storing Tesla cars and building off-grid energy storage systems and electric conversion kits.
He turned the hobby into a business that sold Tesla parts from salvage cars and built his own controllers to help people create cool projects from those parts.
At that time, he also used his experience with Tesla cars and Tesla software to report vulnerabilities in the automaker’s systems.
The practice, known as whitehat hacking, was not its main focus, but like most tech companies, Tesla has put in place a bug reporting system to call people who find and report vulnerabilities.
He would occasionally submit bugs through that system.
After Tesla began giving customers access to more data about Supercharger stations, especially the ability to see how many chargers were currently available at a specific charging station through its navigation app, Hughes decided to poke around and see if he could expose the data .
He told Electrek:
“I found a hole in the server side of that mechanism that enabled me to get data for every Supercharger worldwide once every few minutes.”
The hacker shared the data on the Tesla Motors Club forum, and the automaker was apparently not happy about it.
Someone who appeared to be working for Tesla posted anonymously about how they did not want the data there.
Hughes replied that he would be happy to discuss it with her.
20 minutes later, he was on a conference call with the head of the Supercharger network and the head of software security at Tesla.
She kindly explained to him that they prevented him from sharing the data, which was technically accessible via the cars. Hughes then agreed to scrape and share the data from the Supercharger.
After reporting his server exploit through Tesla’s bug reporting service, he received a $ 5,000 reward for exposing the vulnerability.
Having now more experience with Tesla’s servers and knowing that their network was not the safest, to say the least, he decided to go on the hunt for more bugbounties.
After some pox, he managed to find a bunch of small vulnerabilities.
The hacker told Electrek:
“I realized that some of these things can be linked together, the official term is a bug chain, to gain more access to other things in their network. Eventually I was able to access some sort of server image repository in their network, one of which was ‘Mothership’. ”
Mothership is the name of Tesla’s home server used to communicate with its customer fleet.
Any kind of remote command as diagnostic information from the car to Tesla goes through “Mothership.”
After downloading and dissecting the data found in the repository, Hughes began using his car’s VPN connection to poke at Mothership. He eventually came up with a network connection for developers.
That was when he found a bug in Mothership itself that allowed him to verify as if he was coming from any car in Tesla’s fleet.
All he needed was the VIN number of a car, and he had access to all of it through Tesla’s “tesladex” database through his complete control over Mothership, and he could get information about every car in the fleet and even commands send to those cars.
At that point, I gave Hughes the VIN number of my own Tesla Model S, and he was able to give me the exact location and all other information about my own car.
At that point, Hughes decided to draft a bug report. Because he had recently been in contact with Tesla’s head of software security, who was then Aaron Sigel, he decided to email him immediately with his findings.
This was a big problem.
Within minutes of receiving that email on that Friday afternoon in March of 2017, Sigel Hughes called.
Back then, Tesla’s autonomous capabilities were far more limited than the features for driver assistants found in Tesla’s Autopilot and Full Self-Driving packages now.
Therefore, Hughes could not really steer Tesla cars that ran everywhere as Tesla’s CEO described a few months later in a strange scenario, but he could “call” them.
In 2016, Tesla released its Summon feature, allowing Tesla owners to move their cars a few tens of feet remotely or rear-end without anyone entering.
Until Tesla’s recent “Smart Summon” update, it was primarily used to get cars in and out of cramped spaces and garages.
While on the phone, Hughes asked Sigel to give him the VIN number of the Tesla car closest to him. The hacker continued to “call” the car, which was in California, from his home in North Carolina.
At one point, Hughes jokingly said that this bug report would be worthy of a brand new Tesla.
He eventually did not receive a new Tesla, but the automaker awarded him a special $ 50,000 bug report reward – several times higher than the maximum limit for official bug rewards:
Tesla used the information provided by Hughes to secure their network.
That Friday they finished overnight and within a few hours they managed to fix the main bug in Mothership.
After a few days, they fixed the entire bug chain that the hacker exploited to remotely gain control of Tesla’s entire fleet.
Tesla Cybersecurity Today
The good news is that Tesla has significantly increased since its efforts to secure its network and overall cybersecurity.
The automaker increased its maximum payout per reported bug to $ 15,000 in 2018, and it has boosted its security team and its relationship with hackers by attending hacking conferences.
In recent years, Tesla has targeted its cars in the popular Pwn2Own hacking competition.
David Lau, vice president of car software at Tesla, recently commented on the effort:
We develop our cars with the highest standards of safety in all respects, and our work with the safety research community is invaluable to us. Since launching our bugbounty program in 2014 – the first to include a connected consumer vehicle – we have continually increased our investment in partnerships with security researchers to ensure that all Tesla owners consistently benefit from the brightest minds in the community. . We look forward to learning about, and rewarding, great work at Pwn2Own so that we can continue to improve our products and our approach to designing inherently secure systems.
Also, Tesla owners are likely to get two-factor authentication for their Tesla account soon.
Electrek’s Take
While this was a massive intrusion that exposed a major vulnerability in Tesla’s network, it is also a good example of the importance of whitehat hackers and for them to focus more on the auto industry as cars increasingly be connected.
Institutions like this major intrusion actually put Tesla in a much better position in the sector.
The carmaker’s products are becoming the cool new thing for hackers to hack like the iPhone once was.
As long as the good guys, like Jason, do it, it will help Tesla stay for the bad guys and avoid the possible nightmare scenario of self-driving car attacks described by Elon.
FTC: We use revenue-earning auto-affiliate links. More.
Subscribe to Electrek on YouTube for exclusive videos and subscribe to the podcast.
