Here’s a shocking truth: a Tesla executive recently told Congress that ‘no one has ever’ taken control of its vehicles remotely. But that’s simply not true. During a Senate Commerce Committee hearing on autonomous vehicles, Tesla’s Vice President of Vehicle Engineering, Lars Moravy, made this bold claim when questioned about cybersecurity. His response was clear: Tesla’s systems are fortified with multiple layers of security, and their driving controls are embedded in a central layer inaccessible from outside the vehicle. When pressed further, he doubled down, stating unequivocally that no one has ever taken over control of their vehicles. And this is the part most people miss: history tells a different story.
Let’s rewind to 2017, when security researcher Jason Hughes (known as WK057) uncovered a chain of vulnerabilities that granted him access to Tesla’s ‘Mothership’—the central server communicating with its entire fleet. Hughes didn’t just peek under the hood; he authenticated as any Tesla vehicle using only a VIN number, accessed location data, vehicle information, and—most alarmingly—sent commands to any Tesla on the road. To prove the severity, he remotely activated a Tesla’s Summon feature from North Carolina, moving a car in California. But here’s where it gets controversial: if more autonomous features had been available, Hughes could have theoretically stolen a vehicle from thousands of miles away. Tesla rewarded him with a $50,000 bug bounty—far exceeding their usual payout—and swiftly patched the vulnerability.
This wasn’t an isolated incident. In 2016, researchers at Keen Security Lab remotely hacked a Tesla Model S from 12 miles away, taking control of its brakes. Tesla fixed this issue within 10 days, but the fact remains: remote control of Tesla vehicles has been achieved—not by malicious actors, but by ethical ‘white hat’ hackers who responsibly disclosed these flaws. Is it fair to claim ‘no one has ever’ taken control when these incidents are a matter of public record?
To be fair, Tesla has made significant strides in cybersecurity since 2017, expanding its bug bounty program, beefing up its security team, and participating in hacking competitions like Pwn2Own. Yet, during a hearing where Tesla is pushing for federal regulation of autonomous vehicles, the accuracy of safety and security claims is critical. While Tesla deserves credit for its improvements, executives must be precise when testifying before Congress, especially when the history is already documented.
Here’s a thought-provoking question for you: Should companies like Tesla be held to a higher standard of transparency when discussing their security history, even if vulnerabilities were addressed responsibly? Let us know your thoughts in the comments below!
