A Step-By-Step Guide On How To Hack Tesla And Get Root Access

Everybody talks about Tesla again. When Elon Musk presented a cheaper new model of Tesla not long ago, the preorders were plenty. Meanwhile, older Tesla models attract both eco–conscious drivers and hackers.

Chris Matthieu, head of IoT (Internet of Things) at Citrix and founder of Twelephone, a system of making calls from Twitter, has recently posted a step-by-step guide on how to get root access to a Tesla. Here is the hacker’s GitHub account if you’d like to know more about him. It must be said right from the start that you’d need a laptop, network cables and a screwdriver in order to repeat Chris’ experiment for you’ll have to hack and break in at once.

hacked_small

I really don’t know why but I decided to hack my Tesla Model S aiming to get root access to its CID touchscreen display. I spent two months researching and planning this project. After I was convinced that everything is set, I grabbed my tools and laptops and started to fulfill the plan.

Are you looking to test security of your IoT application for connected car?
Download a Survivor's Guide To Mobile App Testing from our partner!

Step 1. Getting access to the side panel

The first step is to remove the small side panel right behind the driver’s door to gain access to the small white connector, shown on the photo:

service_connector

It may look strange but it is just a simple category 6 Ethernet cable with a Tesla connector. It can be connected via simple network cable and a matching connector. I used my improvised cable but you may also look for the proper cable model at the  marketplaces where second-hand electronics are sold.

wire

As a result, I connected the network via this small white connector and since that moment I was able to perform the hack. Unfortunately I couldn’t log in because I couldn’t get through the VPN without a password.

 

Step 2. Removing the lower part of the panel

lower_dash_cover

I had to remove a huge part of the front panel under the steering wheel which was fastened with 9 catchers. It was a hard work but I managed to do it.

 

Step 3.  Removing the ventilation grill

vents_removed_censored

Gosh, I thought it took me ages to remove this grill in front of the lower edge of the windscreen. Firstly, I screwed out a big panel covering the dashboard to find screws which hold ventilation grill. I had to be careful in order not to bent or break anything while gaining access to those screws and disassembling the front panel. Afterwards, I just had to take the dashboard cover and ventilation grill off.

Step 4. Removing the dashboard

ic_cover_vents_removed

You also have to remove the dashboard by raising the upper cover and reaching two upper screws. To tell the truth, I took the following photo after I removed the lower screws as I wasn’t feeling confident enough to unscrew the upper ones. But later on I did that as well.

ic_removed

You may now start to wonder how all this helps to unlock the white connector? Let’s go further.

Step 5. Gaining access to the dashboard’s cable

IC_connector_censored

Now you see another white connector which is connected to the touchscreen CID display. The dashboard is connected to CID via web interface in order to receive navigation updates or music, and to send commands like ‘open the cover’.

ic_factory_mode_censored

My aim was to connect my improvised cable to the dashboard detaching its original cable first. Tesla rolled back to Factory Mode; I disconnected the laptop from Tesla and returned its original cable back to its place in the dashboard.

By the way, you will be able to see the Developer mode screens in case you stay in the Factory mode for a while. But this is another story which I think of publishing some day. For now I am exposing the photo of my favorite thing so far – the temperature display.

factory_thermal_censored

Step 6. Gaining root access to Tesla Model S

Tesla is in the Factory mode now. And the white connector near the driver’s door is unlocked and is waiting for us to connect to it. Now it is necessary to connect the laptop again and execute the obtain_root script which I wrote in advance.

hacked

The magic process starts allowing me to connect to the touchscreen display with root rights. I made some manipulations to ensure that I won’t have to go through all that stuff next time I need access to the system. Hereafter I disconnected the white cable, switched off the Factory mode, performed Tesla reload and screwed on all the plates and covers. That’s all, the hack is over!

After the hack

And what’s next? What did I gain after all? I did many investigations and research, so follow up to see the results.

Have something to add to this story? Share it in the comments. Leave a Comment

Leave a comment