In July 2017, Tesla CEO Elon Musk got on stage at the National Governors Association in Rhode Island and confirmed that a “fleet-wide hack” is one of Tesla’s biggest concerns as the automaker moves to autonomous vehicles.
He even presented a strange scenario that could happen in an autonomous future:
“In principle, if someone was able to say hack all the autonomous Teslas, they could say – I mean just as a prank – they could say ‘send them all to Rhode Island’ [laugh] – across the United States… and that would be the end of Tesla and there would be a lot of angry people in Rhode Island.”
What Musk knew that the public didn’t was that Tesla got a taste of that actually happening just a few months prior to his talk.
The Big Tesla Hack
Back in 2017, Jason Hughes was already well known in the Tesla community under his WK057 alias on the forums.
He was an early member of the Tesla “root access” community, a group of Tesla owners who would hack their own cars to get more control over them and even unlock unreleased features.
After Tesla started to give customers access to more data about Supercharger stations, mainly the ability to see how many chargers were currently available at a specific charging station through its navigation app, Hughes decided to poke around and see if he could expose the data.
He told Electrek:
“I found a hole in the server-side of that mechanism that allowed me to basically get data for every Supercharger worldwide about once every few minutes.”
The hacker shared the data on the Tesla Motors Club forum, and the automaker seemingly wasn’t happy about it.
Someone who appeared to be working at Tesla posted anonymously about how they didn’t want the data out there.
Hughes responded that he would be happy to discuss it with them.
20 minutes later, he was on a conference call with the head of the Supercharger network and the head of software security at Tesla.
They kindly explained to him that they would prefer for him not to share the data, which was technically accessible through the vehicles. Hughes then agreed to stop scraping and sharing the Supercharger data.
After reporting his server exploit through Tesla’s bug reporting service, he received a $5,000 reward for exposing the vulnerability.
With now having more experience with Tesla’s servers and knowing that their network wasn’t the most secure, to say the least, he decided to go hunting for more bug bounties.
After some poking around, he managed to find a bunch of small vulnerabilities.
The hacker told Electrek:
“I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was ‘Mothership’.”
Mothership is the name of Tesla’s home server used to communicate with its customer fleet.
Any kind of remote commands or diagnostic information from the car to Tesla goes through “Mothership.”
After downloading and dissecting the data found in the repository, Hughes started using his car’s VPN connection to poke at Mothership. He eventually landed on a developer network connection.
That’s when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla’s fleet.
All he needed was a vehicle’s VIN number, and he had access to all of those through Tesla’s “tesladex” database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
At the time, I gave Hughes the VIN number of my own Tesla Model S, and he was able to give me its exact location and any other information about my own vehicle.
Hughes couldn’t really send Tesla cars driving around everywhere like Tesla’s CEO described in a strange scenario few months later, but he could “Summon” them.
In 2016, Tesla released its Summon feature, which enables Tesla owners to remotely move their cars forward or backward a few dozen feet without anyone in them.
the automaker awarded him a special $50,000 bug report reward — several times higher than the max official bug reward limit: