A few years ago, a hacker managed to exploit vulnerabilities in Tesla’s servers to gain access and control over the automaker’s entire fleet.
In July 2017, Tesla CEO Elon Musk got on stage at the National Governors Association in Rhode Island and confirmed that a “fleet-wide hack” is one of Tesla’s biggest concerns as the automaker moves to autonomous vehicles.
He even presented a strange scenario that could happen in an autonomous future:
“In principle, if someone was able to say hack all the autonomous Teslas, they could say – I mean just as a prank – they could say ‘send them all to Rhode Island’ [laugh] – across the United States… and that would be the end of Tesla and there would be a lot of angry people in Rhode Island.”
What Musk knew that the public didn’t was that Tesla got a taste of that actually happening just a few months prior to his talk.
The Big Tesla Hack
Back in 2017, Jason Hughes was already well known in the Tesla community under his WK057 alias on the forums.
He was an early member of the Tesla “root access” community, a group of Tesla owners who would hack their own cars to get more control over them and even unlock unreleased features.
At the time, Hughes was using his knowledge to tinker with salvaged Tesla vehicles and build off-grid energy storage systems and electric conversion kits.
He turned the hobby into a business selling Tesla parts from salvaged vehicles and building his own controllers to help people make cool projects out of those parts.
At the time, he was also using his experience working with Tesla vehicles and Tesla software to report vulnerabilities in the automaker’s systems.
The practice, known as whitehat hacking, wasn’t his main focus, but like most tech companies, Tesla has a bug reporting system in place to reward people who find and report vulnerabilities.
He would occasionally submit bugs through that system.
After Tesla started to give customers access to more data about Supercharger stations, mainly the ability to see how many chargers were currently available at a specific charging station through its navigation app, Hughes decided to poke around and see if he could expose the data.
He told Electrek:
“I found a hole in the server-side of that mechanism that allowed me to basically get data for every Supercharger worldwide about once every few minutes.”
The hacker shared the data on the Tesla Motors Club forum, and the automaker seemingly wasn’t happy about it.
Someone who appeared to be working at Tesla posted anonymously about how they didn’t want the data out there.
Hughes responded that he would be happy to discuss it with them.
20 minutes later, he was on a conference call with the head of the Supercharger network and the head of software security at Tesla.
They kindly explained to him that they would prefer for him not to share the data, which was technically accessible through the vehicles. Hughes then agreed to stop scraping and sharing the Supercharger data.