Security researchers have uncovered major vulnerabilities in two of Tesla’s most popular vehicles, revealing that the Tesla Model 3 and Cybertruck can be transformed into remotely controlled, highly compromised “machines on wheels.” The findings highlight new concerns around the growing complexity of connected cars – and how deeply embedded software systems can introduce risks most drivers never consider.
Researchers demonstrate deep access inside Tesla’s system software
A research team from Northeastern University has shown that they could manipulate core systems inside the Tesla operating environment by exploiting vulnerabilities in the vehicle’s internal networking architecture. Rather than breaking into the car from a distance, researchers focused on what happens once an attacker gains physical access – a scenario they argue is far more realistic than fully remote Hollywood-style car hacks.
Their work demonstrated that plugging a compromised device into Tesla’s internal network could unlock access to subsystems responsible for power steering, braking behavior, acceleration logic, and even driver-assistance features. By reverse-engineering protocols and communication pathways inside the vehicles, researchers created proof-of-concept attacks capable of altering vehicle behavior in ways the driver would not immediately detect.
Why the findings matter for connected vehicles
Modern vehicles rely heavily on a network of microcontrollers, sensors, and software layers – more than 100 million lines of code in some cases. This complexity increases the potential attack surface dramatically. The research underscores that today’s EVs and smart cars function much like rolling computers, and that traditional automotive safety assumptions don’t fully account for systemic software vulnerabilities.
Critically, the team notes that an attacker wouldn’t need to be a nation-state actor or elite hacker. With basic technical skills and short-term physical access – for example during valet parking, routine servicing, or rental car use – a malicious device could be introduced to modify internal communications on the vehicle’s CAN bus.
These are not remote takeover attacks, but they show that internal system protections are not robust enough to prevent malicious code execution once an intruder reaches the car’s physical ports.
Implications for drivers and the industry
For everyday drivers, the research brings attention to the importance of treating modern cars as digital devices with their own cybersecurity risks. Features like keyless entry, over-the-air updates, and extensive onboard sensors dramatically improve convenience – but they also create more potential failure points.
The findings also highlight a broader industry challenge: car manufacturers are racing to add autonomous features, AI-driven systems, and always-connected infotainment platforms, but security frameworks have not evolved at the same pace. With EV adoption rising and cars becoming increasingly software-dependent, security researchers warn that vulnerabilities could become more common unless cybersecurity becomes a core design priority.
What’s next for Tesla, regulators, and automakers
Researchers disclosed their findings to Tesla before publication, and while the company acknowledged the report, it noted that the tests involved devices plugged directly into the vehicle – a scenario it considers lower-risk than remote compromise. Still, the research community argues that physical-access hacks remain critical threats in real-world contexts.
Going forward, academics expect more attention on automotive cybersecurity standards, including stronger encryption of internal communications, authenticated software messaging, and redesigned access ports that minimize the risk of malicious injections.
Regulators may also revisit standards around connected vehicle safety as cars increasingly resemble complex cloud-connected computing platforms.
As connected vehicles become the norm, the automotive industry is likely to face increasing pressure to harden systems, adopt zero-trust architectures, and treat cybersecurity as seriously as crash safety.
