Lars Moravy, Tesla Vice President of Vehicle Engineering, told a Senate committee that no one has ever remotely taken control of Tesla vehicles. However, this claim doesn't hold up to the facts of history. In 2017, security researcher Jason Hughes gained control of Tesla's entire fleet by exploiting vulnerabilities in the company's central server.
Hughes was able to authenticate as any vehicle in Tesla's fleet using just a Vehicle Identification Number (VIN) and access location data, vehicle information, and send commands to any Tesla on the road. He even remotely activated a nearby Tesla's Summon feature, moving it from his home in North Carolina to California. Tesla awarded Hughes a $50,000 bug bounty for the discovery and worked quickly to patch the vulnerability.
This incident highlights the severity of cybersecurity concerns in the automotive industry. While both incidents were discovered by 'white hat' security researchers who responsibly disclosed the vulnerabilities to Tesla, Moravy's statement is demonstrably false. The 2017 Mothership hack wasn't an isolated incident, as security researchers at Keen Security Lab successfully hacked a Tesla Model S from 12 miles away in 2016, gaining remote control of the vehicle's brakes by exploiting the car's Controller Area Network (CAN bus).
Tesla patched both vulnerabilities quickly, but Moravy's claim raises questions about the company's cybersecurity measures. The incident also echoes Elon Musk's concerns about 'fleet-wide hacks' and the need for robust security protocols. Despite this, it's unclear whether any malicious actors have successfully taken remote control of Tesla vehicles in the wild.
This incident highlights the importance of transparency and honesty when discussing cybersecurity concerns. As the automotive industry continues to evolve, it's crucial for companies like Tesla to prioritize robust security measures and openly acknowledge potential vulnerabilities.
