Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECUs of Tesla Cars

Conference:  BlackHat USA 2018



The presentation discusses vulnerabilities found in Tesla's cybersecurity and how they were patched.
  • Tesla's cybersecurity was found to have vulnerabilities
  • A customized easter egg was used to gain privileged access to the CID
  • The vulnerabilities were reported to Tesla and quickly patched
  • The system is now more secure than before
The presenters found a large amount of data in the PC front and discovered a customized easter egg. They also used reverse work to locate the easter egg and patched the vulnerabilities found in Tesla's cybersecurity.


We, Keen Security Lab of Tencent, have successfully implemented two remote attacks on the Tesla Model S/X in year 2016 and 2017. Last year, at Black Hat USA, we presented the details of our first attack chain. At that time, we showed a demonstration video of our second attack chain, but without technical aspects. This year, we are willing to share our full, in-depth details on this research.In this presentation, we will explain the inner workings of this technology and showcase the new capability that was developed in the Tesla hacking 2017. Multiple 0-days of different in-vehicle components are included in the new attack chain.We will also present an in-depth analysis of the critical components in the Tesla car, including the Gateway, BCM(Body Control Modules), and the Autopilot ECUs. For instance, we utilized a code-signing bypass vulnerability to compromise the Gateway ECU; we also reversed and then customized the BCM to play the Model X "Holiday Show" Easter Egg for entertainment. Finally, we will talk about a remote attack we carried out to successfully gain an unauthorized user access to the Autopilot ECU on the Tesla car by exploiting one more fascinating vulnerability. To the best of our knowledge, this presentation will be the first to demonstrate hacking into an Autopilot module.