White Hat hacker Jason Hughes used server-side vulnerabilities to control all Tesla cars. Jason Hughes, who gained little fame in the Tesla community in 2017, used his knowledge and experience to find vulnerabilities in Tesla’s software and report vulnerabilities found to the company.
After Tesla allowed customers access to more data about supercharged stations, Hughes investigated, and a vulnerability was discovered on the server side that allowed him to obtain data from supercharged stations around the world every few minutes.
He posted the results on the Tesla Auto Club forum, and 20 minutes later he received a call from Tesla’s software security executive, expressing the hope that he would not disclose the vulnerability but notify them later. He then began his career as a white hat hacker, continuing to search for vulnerabilities on Tesla’s software and servers for small bounties. One of his biggest discoveries was the successful access to a server mirror library on Tesla’s network through a set of vulnerabilities, one of which was Mothership.
Mothership is the name of Tesla’s primary server used to communicate with customers’ cars. Remote instructions or diagnostic information for any Tesla car passes through Mothership. He found a loophole in Mothership that allowed him to send instructions to cars as any Tesla owner. Tesla’s remote control capabilities were limited at the time, and Hughes couldn’t steer the cars anywhere, but could summon them using the calling feature. The loopholes earned him a $50,000 bounty.