Security researchers have uncovered major vulnerabilities in two of Tesla’s most popular vehicles, revealing that the Tesla Model 3 and Cybertruck can be turned into remote-controlled, highly vulnerable “machines on wheels.” The findings highlight new concerns about the growing complexity of connected cars – and how deeply embedded software systems can introduce risks that most drivers never consider.
Researchers demonstrate deep access to Tesla’s system software
A research team from Northeastern University has shown that they can manipulate core systems within Tesla’s operating environment by exploiting vulnerabilities in the vehicle’s internal network architecture. Instead of breaking into the car remotely, the researchers focused on what happens if an attacker gains physical access – a scenario they say is far more realistic than fully remote, Hollywood-style car hacks.
Their work showed that connecting a compromised device to Tesla’s internal network could allow access to subsystems responsible for power steering, braking, acceleration logic and even driver assistance functions. By reverse engineering protocols and communication paths within vehicles, researchers developed proof-of-concept attacks that could alter vehicle behavior in ways that the driver would not immediately notice.
Why insights matter for connected vehicles
Modern vehicles rely heavily on a network of microcontrollers, sensors and software layers – in some cases more than 100 million lines of code. This complexity dramatically increases the potential attack surface. The research highlights that today’s electric vehicles and smart cars function similarly to rolling computers and that traditional automotive security assumptions do not fully account for systemic software vulnerabilities.
Critically, the team notes that an attacker does not have to be a nation-state actor or an elite hacker. With basic technical knowledge and short-term physical access – such as valet parking, routine maintenance, or rental car use – a malicious device could be introduced to alter internal communications on the vehicle’s CAN bus.
These are not remote takeover attacks, but they demonstrate that internal system protections are not robust enough to prevent malicious code execution once an intruder reaches the vehicle’s physical ports.
Impact on drivers and industry
For everyday drivers, the study highlights the importance of treating modern cars as digital devices with their own cybersecurity risks. Features like keyless entry, over-the-air updates and extensive onboard sensors significantly improve convenience – but they also create more potential points of failure.
The findings also highlight a broader challenge for the industry: Automakers are racing to add autonomous features, AI-driven systems and always-connected infotainment platforms, but safety frameworks have not evolved at the same pace. As electric vehicles become more widespread and cars rely more heavily on software, security researchers warn that vulnerabilities could become more common if cybersecurity does not become a key design priority.
What’s next for Tesla, regulators and automakers?
The researchers disclosed their findings to Tesla before publication, and while the company acknowledged the report, it noted that the tests involved devices connected directly to the vehicle – a scenario it said is lower risk than a remote compromise. Nevertheless, the research community argues that physical access hacks continue to pose a critical threat in real-world contexts.
Going forward, scientists expect more attention to automotive cybersecurity standards, including stronger encryption of internal communications, authenticated software messaging, and redesigned access ports that minimize the risk of malicious injections.
Regulators may also reconsider standards for connected vehicle security as cars increasingly resemble complex, cloud-connected computing platforms.
As connected vehicles become the norm, the automotive industry will likely face increasing pressure to harden systems, adopt zero-trust architectures and take cybersecurity as seriously as crashworthiness.
