Tesla’s Remote Hacking History Contradicts Executive Testimony
During a Senate Commerce Committee hearing on autonomous vehicles this week, Tesla Vice President of Vehicle Engineering Lars Moravy asserted that no one has ever remotely taken control of a Tesla vehicle. His claim "We have many layers of security in our system… the answer is simply no" directly contradicts documented cybersecurity incidents involving the company’s fleet.
In 2017, security researcher Jason Hughes (known as WK057) uncovered critical vulnerabilities in Tesla’s central server, "Mothership," which manages communication with its entire fleet. By exploiting these flaws, Hughes gained access to vehicle location data, system information, and the ability to send commands to any Tesla using only a VIN number. To demonstrate the severity, he remotely activated the Summon feature on a California-based Tesla from his home in North Carolina proving that, at the time, a malicious actor could have stolen or manipulated vehicles from afar. Tesla awarded Hughes a $50,000 bug bounty (far exceeding its standard maximum payout) and patched the vulnerability overnight.
This incident occurred months before Elon Musk publicly warned about "fleet-wide hacks" as a major concern for Tesla, even joking about hackers redirecting all Teslas to Rhode Island as a prank. The 2017 breach was not an isolated case: In 2016, researchers at Keen Security Lab (Tencent) remotely compromised a Tesla Model S from 12 miles away, gaining control of its brakes by exploiting the vehicle’s Controller Area Network (CAN bus). Tesla addressed that vulnerability within 10 days.
While both incidents involved white-hat researchers who disclosed the flaws responsibly and Tesla has since bolstered its security measures, including expanded bug bounties and participation in hacking competitions like Pwn2Own Moravy’s testimony omitted these historical breaches. His statement that "no one has ever been able to" take remote control of a Tesla is factually inaccurate.
The hearing, which focused on establishing a federal framework for autonomous vehicles, underscored the importance of accurate security claims as lawmakers weigh regulatory oversight. Tesla’s cybersecurity has improved since 2017, but its public record of past vulnerabilities remains a key part of the discussion.
Tesla cybersecurity rating report: https://www.rankiteo.com/company/tesla-motors
"id": "TES1772642704",
"linkid": "tesla-motors",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Tesla vehicle owners '
'(potentially entire fleet)',
'industry': 'Automotive (Electric Vehicles, Autonomous '
'Driving)',
'location': 'United States',
'name': 'Tesla, Inc.',
'size': 'Large (Fortune 500)',
'type': 'Corporation'}],
'attack_vector': ['Exploitation of Tesla’s central server (Mothership)',
'Exploitation of Controller Area Network (CAN bus)'],
'data_breach': {'sensitivity_of_data': 'Moderate (vehicle telemetry, '
'location)',
'type_of_data_compromised': ['Vehicle location data',
'System information']},
'date_detected': ['2016', '2017'],
'date_publicly_disclosed': ['2016', '2017'],
'date_resolved': ['2016 (within 10 days)', '2017 (overnight)'],
'description': 'During a Senate Commerce Committee hearing, Tesla VP Lars '
'Moravy claimed no one has ever remotely taken control of a '
'Tesla vehicle, contradicting documented cybersecurity '
'incidents. In 2017, researcher Jason Hughes exploited '
"vulnerabilities in Tesla’s 'Mothership' server to remotely "
'activate vehicle features. In 2016, Keen Security Lab '
'(Tencent) remotely compromised a Tesla Model S, gaining '
'control of its brakes. Both incidents were responsibly '
'disclosed and patched by Tesla.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust due to '
'historical vulnerabilities',
'data_compromised': ['Vehicle location data', 'System information'],
'operational_impact': ['Remote control of vehicle features (e.g., '
'Summon)',
'Remote control of brakes'],
'systems_affected': ['Tesla vehicle fleet', 'Tesla Model S']},
'investigation_status': 'Closed (vulnerabilities patched)',
'lessons_learned': 'Historical vulnerabilities highlight the importance of '
'transparent security claims, especially in regulated '
'industries like autonomous vehicles. Tesla’s security '
'improvements post-incident demonstrate the value of bug '
'bounty programs and responsible disclosure.',
'motivation': ['Security Research', 'Security Research'],
'post_incident_analysis': {'corrective_actions': ['Patching vulnerabilities',
'Expanding bug bounty '
'programs',
'Participating in hacking '
'competitions'],
'root_causes': ['Insufficient security controls in '
'Tesla’s Mothership server',
'Vulnerabilities in CAN bus '
'implementation']},
'recommendations': ['Ensure executive testimony accurately reflects '
'historical security incidents to maintain credibility '
'with regulators and the public.',
'Continue investing in bug bounty programs and '
'third-party security audits.',
'Enhance transparency around past vulnerabilities to '
'build trust with stakeholders.'],
'references': [{'source': 'Senate Commerce Committee Hearing on Autonomous '
'Vehicles'},
{'source': 'Jason Hughes (WK057) - Tesla Mothership Server '
'Exploit (2017)'},
{'source': 'Keen Security Lab (Tencent) - Tesla Model S Remote '
'Hack (2016)'}],
'response': {'communication_strategy': 'Responsible disclosure by '
'researchers; public acknowledgment by '
'Tesla',
'containment_measures': ['Patching vulnerabilities in Mothership '
'server',
'Patching CAN bus vulnerabilities'],
'incident_response_plan_activated': True,
'remediation_measures': ['Expanded bug bounty programs',
'Participation in hacking competitions '
'(e.g., Pwn2Own)']},
'stakeholder_advisories': 'Tesla’s security improvements post-incident were '
'noted, but historical breaches remain relevant for '
'regulatory discussions on autonomous vehicle '
'security.',
'threat_actor': ['Jason Hughes (white-hat researcher)',
'Keen Security Lab (Tencent, white-hat researchers)'],
'title': 'Tesla’s Remote Hacking Vulnerabilities Contradict Executive '
'Testimony',
'type': ['Remote Code Execution', 'Unauthorized Access'],
'vulnerability_exploited': ['Flaws in Tesla’s Mothership server',
'CAN bus vulnerabilities in Tesla Model S']}