How a White-Hat Hacker Once Gained Control of Tesla's Entire Fleet

"A few years ago, a hacker managed to exploit vulnerabilities in Tesla's servers to gain access and control over the automaker's entire fleet," remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).

Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.

All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."

Electrek calls it "a good example of the importance of whitehat hackers."

Elon Musk is moving the world to a better place.

[Futurepower(R)]

It's important to see the overall situations, the big picture:

2 of Elon Musk's ongoing contributions:

1) Helping the human race eliminate the very expensive gasoline cars and replace them with cars with electric moters that requre FAR less maintenance. There will be far less pollution, and less global warming due to the burning of fuel.

2) Musk's Internet satellites will give Internet access to poor people. Many people live in areas that don't have libraries. Internet access provides access to information that helps allow people to train themselves out of poverty.

Re:

[VorpalRodent]

3) Better pathfinding algorithms for use in mapping, videogames, etc., which are the natural fallout of one of the engineers saying "Wait a minute...what if we *do* summon a bunch of cars to the same spot".

Re:

[AmiMoJo]

Do you have any evidence of this? There are a lot of complaints about Summon picking stupid routes on the Tesla forums. Same for the sat nav.

Re:Elon Musk is moving the world to a better place

[AmiMoJo]

He didn't have to make the cars all connected to the mothership just to make them electric though. And not just connected but able to be remotely controlled. The summon feature could have used Bluetooth, which would also ensure the driver is near enough to keep an eye on it.

Re:

[Anonymous Coward]

He didn't have to make the cars all connected to the mothership just to make them electric though. And not just connected but able to be remotely controlled.

With all the people, companies, and interest groups actively attempting to destroy Tesla for their own gains, I would argue at least your first point.
There have been many dozens of attempted lawsuits trying to blame Tesla for what had been driver error or intentional driver actions, and the telemetry was the primary reason those suits were all dismissed.

As for remote summon, I'll agree with that.
OTA firmware/software updates however I still think are a good thing in general, but the line between the two get

Helpful understanding

[Futurepower(R)]

MOD Parent UP! Interesting explanations.

Re:Elon Musk is moving the world to a better place

[Rei]

It's also important to describe what's being talked about here: what he got access to control of was the Tesla API [teslaapi.io] (indeed, any company who has an app has some sort of API - open or closed). The API is what the Tesla App uses to communicate (indirectly, via Tesla) with the vehicle and send commands / receive data - anything you can do with the app . Third parties also write various tools for automated functions or third party apps for owners. Authentication requires an access token. He apparently was either able to get access tokens or bypass the need for them (e.g. issuing them direct from the Mothership).

It's important to note however that while he could run any API command, he obviously can't do anything that's not in the app. E.g., there's no API command for "swerve into a barrier" or whatnot; it's just basic app functionality. It didn't give him access to, say, send out new corrupted versions of firmware (which users, BTW, have to choose to install, and not-yet-installed updates can be recalled if Tesla became aware of an attack - plus, it takes time to dispatch and receive updates, given their size). With regards to Smart Summon, just like the app, you're limited to areas within 60 meters (US) / 6 meters (EU) of the vehicle, and it will refuse to drive on public roads.

That said, he sure could have pranked the hell out of people, stolen location data, or done things useful for thieves. Owners could have responded, if their vehicle started experiencing unwanted API commands, by disabling app access (Controls -> Safety and Security).

Still quite a serious breach - but not as much as "Gained Control of Tesla's Entire Fleet" makes it sound.

Musk's response to questions about the cybersecurity back in 2017:

I think one of the biggest risks for autonomous vehicles is somebody achieving a fleet-wide hack. In principle, if somebody was able to hack, say, all of the autonomous Teslas, they could, say—I mean just as a prank—they could say like ‘send them all to Rhode Island’ from across the United States. And that would be like, well OK, that would be the end of Tesla. And there would be a lot of angry people in Rhode Island, that’s for sure. So, we gotta make super sure that a fleet-wide hack is basically impossible and that if people are in the car, that they have override authority on whatever the car is doing. So, if the car is doing something wacky, you can press a button that no amount of software can override—that will ensure that you gain control of the vehicle and cut the link to the servers. So that's pretty fundamental. Within the car, we actually have, even if someone has access to the car, within the car there's multiple subsystems that also have specialized encryption - the powertrain has specialized encryption so that if someone were to gain access to the car, they wouldn't gain access to the powertrain or the braking system. But my top priority from a security standpoint at Tesla is to make sure that a fleetwide attack, or any vehicle-specific hack, cannot occur. They have the same problem with cell phones. It’s kind of crazy today that we live quite comfortably in a world that George Orwell would have thought is super crazy. Like we all carry a phone with a microphone that could be turned on really at any time without our knowledge, with a GPS that knows our position, and a camera and, well, kind of all of our personal information. We do this willingly. And it’s kind of wild to think that is the case. So, Apple and Google kind of have the same challenge of making sure there cannot be a fleet-wide hack—or a system-wide hack—of phones.

To be fair, this was a fleet-wide hack. But only an API hack. That however doesn't change the fact that in this era of increasing vehicle connectivity, fleet-wide vehicle hacks remain a serious concern, and it's a small-but-extant risk that anyone who wants to have app, update, or real-time data access must take.

diagnostic information needs to be open to owner o

[Joe_Dragon]

diagnostic information needs to be open to owner of the car and dealer / manufacturer remote tools needs to open to any repair shop / self repair.

Re:

[apoc.famine]

Sure, but one of the big things they're working on is automated driving, and they need to update the capacities of their cars often. They also need to collect a lot of data to help develop the technology.

A lot of Tesla owners love the fact that a few times a year they go and start their car up and it suddenly has new tricks it can do. This is possible because of this connection back to the company.

We get it that you're rabidly anti-Tesla, but a lot of people want these things. They want to be part of the it

Re:

[AmiMoJo]

My problem is that when Tesla randomly changes the behaviour of their cars a certain percentage of owners get into accidents. I don't want to be in an accident caused by Tesla beta testing their software with unvetted, random owners on public roads.

Re:

[apoc.famine]

That's what you worry about?

Lol. Sounds well worth hundreds of ranting anti-Tesla posts on the internet. I'm sure those have solved the problem once and for all.

Re:

[drinkypoo]

He didn't have to make the cars all connected to the mothership just to make them electric though.

No, but he did have to have them all connect to some central repository to accept OTA updates. And he did have to have them all connect in order to retrieve self-driving training data for the purpose of someday achieving FSD (which I still think will take LIDAR to do correctly, but that's a separate discussion.)

Re:

[Powercntrl]

Helping the human race eliminate the very expensive gasoline cars

I'm assuming your implication is reducing the sunk costs of the fossil fuel industry, not the actual end-user pricing of gasoline cars. Or, maybe you're one of those folks who would never consider driving around in something like a Hyundai Accent, Mitsubishi Mirage, or Nissan Versa, so you pretend they don't exist?

Musk's Internet satellites will give Internet access to poor people.

You know the saying: when the only tool you have is a hammer...
It's not far off from believing you could solve world hunger by giving every person on Earth a fridge.

This is why all wireless needs an 'OFF' switch

[Rick Schumann]

This story is case-in-point of why ALL vehicles that have wireless connectivity to the rest of the world need a hardware switch that completely disables ALL wireless communications of the vehicle. Do any of you really think that there is ever going to be any such thing as 'secure' when it comes to this? No. Not ever.
Vehicle owners need the ability to secure their vehicles themselves with a switch that completely disables the wireless transceivers in the vehicle, isolating it.

Re:

[quonset]

This is the flaw in connected vehicles. Until you can show all the software and hardware running in the background is absolutely secure, you are opening yourself up for all manner of shenanigans. It only takes one flaw, one opening, to wreak havoc.

Imagine if this guy never told anyone about this and decided to use it to his advantage. For all we know, there is something worse out there which someone knows about and is waiting for the opportunity to exploit it.

Re:

[billyswong]

Sorry, I WANT LEO to be able to stop my stolen vehicle before the theives can damage it.

This is because you live in (or you believe you live in) a country that the government or the rich and powerful won't be the thieves themselves. Remote controlled "car accident" is a valid threat.

Re:

[Rick Schumann]

Enjoy your violent death at the hands of terrorist hackers. Or you car being stolen remotely regardless and the cops can't find it let alone control it. Also enjoy being tracked everywhere you go, and ticketed 10 times a month by a computer because you went 1mph over the speed limit. Also enjoy being hijacked and kidnapped by your own car when it gets hacked. I could go on and on about the possiblities but you're so fucking concerned with fake-ass """safety""" that you won't listen.

Re:

[backslashdot]

Do any of you really think that there is ever going to be any such thing as 'secure' when it comes to this? No. Not ever.

That's massively pessimistic. Someday we'll figure it out. We'll simplify the protocols. We can make it safe. The world has only been dealing with computer hackers for only about 50 years. How shitty were airplanes for the first 50 years? Guaranteed the squeamish society of today would have banned airplanes within 5 years, let alone 50, by foolishly saying there was no way to make it safe. Hell even the 1950's Boeing 707 and DC-8 airplanes were death traps by today's standards -- did we ban airplanes? 1 out

Re:

[Rick Schumann]

No. The internet you're using right now is a powder-keg just waiting for it's fuse to be lit. Hackers all over the world breach security in small ways every single day. They've already proven through those small proofs-of-concept that they could take over everything including government and military any time they want but it's not profitable for them to do (yet). """Security""" is the LAST thing anyone wants to pay for in development and there is ALWAYS some bug or flaw no one thought of that they find and

No, this is not a success for "white hats"

[Excelcia]

The $50,000 bug bounty awarded here is not a bug bounty. It was an incentive for future criminals to confess rather than do damage. This was not a single exploit that was found. This was someone who went layer after layer in. This wasn't a white hat, this was someone who realized that the kind of access he ultimately got could only be used for a single prank, once, and was not otherwise monetizable. A white had would have reported the initial breach.

Crime does pay.

Re:

[kylemonger]

Using it once is all he needs.

1. Take a big short position in Tesla stock.

2. Send out an "update" that bricks Tesla cars everywhere, which would end Tesla as a profitable enterprise.

3. Profit!

If the hacker only got $50K he was robbed.

Re:

[apoc.famine]

No, he probable didn't have enough liquid cash to buy enough stock to make it worthwhile. Tesla is like $500 a share. If you think it will drop $10 because of your actions, you need to short $2.5m worth of stock for that plan to break even. Not a lot of people have that sort of liquidity and balls to attempt it. Far fewer have multiples of that to really cash in.

Unless you start rich, fucking with the stock market is not within your grasp. Snagging a bug bounty which will be 1/3 to 1x your salary is.

Re:

[kylemonger]

He need not use stock directly. Options let you gamble with much smaller sums, using leverage to make big profits if you guess a large price swing right. In this case he would buy a pile of out-of-the-money puts that would become much more valuable when Tesla stock went through the floor. Of course the SEC would notice the transaction and eventually find his ass, so best be in a non-extradition country by then.

Re:

[drinkypoo]

The $50,000 bug bounty awarded here is not a bug bounty. It was an incentive for future criminals to confess rather than do damage.

That's what a bug bounty is! Literally!

This was not a single exploit that was found. This was someone who went layer after layer in.

So what you're saying is that for one bounty payment, they found out about in-depth vulnerabilities in their platform. Which is to say, the bug bounty program is working spectacularly well. I'm not seeing the problem here.

Curious

[stabiesoft]

If one removes the antenna in a tesla does it disable the car? I know people do this with onstar and things still work.

THATS how it's done

[hdyoung]

White-hat, black-hat, I don't care to quibble over definitions. That's how you do it! You see that, all you other companies? Sit up straight and take some notes here. Some guy figured out how a terrorist or enemy state could cause a massive disaster and reported it to Tesla rather than selling it or acting on it. They paid the guy 50k for his trouble and thanked him for possibly preventing something terrible.

Note what Tesla didn't do: ignore it, sweep it under the carpet, hit him with a cease and desist, report him to the FBI and press charges, or take him to court. In other words, your playbook.

And you other companies wonder why Tesla's stock is through the roof while yours is trading at a 0.3 P/E ratio. Musk is nutty, but (most of the time) he's got a pretty good internal compass. People recognize that.

Only $5,000 for that?

[t4eXanadu]

That seems like a serious vulnerability. Only $5,000? Come on Elon, you cheap son of a bitch! (As if he's personally in control of the bug bounty program).

Re: Only $5,000 for that?

[ljw1004]

No. It was $50k, says the summary.

Be afraid. Be very afraid.

[RogueWarrior65]

All of DJI's drones require the system to at a minimum contact DJI's servers via an internet connect before it will let you launch even if it's just to find out whether there are any software updates or not. The problem with this is that in the use-case of public safety search & rescue, you may not have internet access where you need to fly. If this happens, the entire product is borked until you do have internet access.

To most people, this would be an inconvenience or a case of STBY. But when someon

Re:

[Known Nutter]

It's cute that you believe PS/SAR entities haven't already thought about that problem and how to best mitigate it. The types of controls and restrictions you describe apply to you, Citizen, not the Government.

As a practical example, they will spend tens of thousands of dollars on the UAV, and the backend network/server infrastructure to support the thing. It becomes just something which needs to be managed, and the bureaucracy of the thing grows just a little more.

Mothership says you must use att at $20 meg roamin

[Joe_Dragon]

Mothership says you must use att at $20 meg roaming if you don't buy the Canadian data plan.

Mothership says non dealer work done must report t

[Joe_Dragon]

Mothership says non dealer work done must report to dealer via tow or service visit for an check.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Department of Redundancy Department

[NagrothAgain]

AmiMojo was in too big of a rush to submit the story and get to the comments to trash on Tesla and Musk to bother with such pesky details. Also notice that he says $5k in his writeup even though the quote he embedded has the correct $50k number. That stock isn't gonna short itself after all.

Re: Department of Redundancy Department

[Nidi62]

The guy reported 1 bug, got 5k. Thought hey, I found one, can probably find more. Found more, figured out they could do serious mischief, and told Telsa. Telsa gave him an additional 50k for the new batch of bugs, for a grand total of 55k. They laid out 2 separate times, which is completely clear from the summary.

Re:

[AK Marc]

All he needed was a vehicle's VIN number

You beat me to it, but left out it should be the VVINN, for short. Now excuse me, I have to go to the Automatic ATM Machine to pay for my test for Human HIV Virus to see if I have the Acquired AIDS Syndrome.

With VW that couldn't have happened

[nospam007]

Their electric cars have to go to the VW garage to get updated and the new ones don't even recognize your cellphone until some time in a blue moon.

Such a deal!

[Impy the Impiuos Imp]

Telsa gave him a special $50,000 bug report reward

That's probably less than they would have paid him working as a software engineer during the same period.