Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Vulnerability Exposed Tesla Central Touchscreen to DoS Attacks

Tesla Model 3 hacked again

Tesla Model 3 hacked again

Hackers could have caused a Tesla Model 3’s central touchscreen to become unusable simply by getting the targeted user to visit a specially crafted website. The car maker has released a software update that patches the vulnerability.

A researcher who uses the online moniker Nullze discovered that the Tesla Model 3’s web interface is affected by a denial-of-service (DoS) vulnerability.

The flaw, tracked as CVE-2020-10558 and blamed on “improper process separation,” allows an attacker to cause the central display to become unresponsive.

“[The vulnerability] allows attackers to disable the speedometer, web browser, climate controls, turn signals, navigation, autopilot notifications, and blinker notifications along with other miscellaneous functions from the main screen,” Nullze explained in a blog post.

“To exploit the vulnerability, a user has to go to a specially crafted web page. This web page will crash the chromium-based browser interface and inherently crash the entire Tesla Model 3 interface,” he added.

The researcher pointed out that while exploitation of the vulnerability causes the central display to crash, the car can still be driven. The display starts working once the car has been turned off and turned on again.

The vulnerability was reported to Tesla through the electric car maker’s bug bounty program on Bugcrowd. The researcher was awarded an undisclosed bug bounty for his findings.

Tesla offers between $100 and $15,000 for vulnerabilities. Last year, the company awarded $10,000 to a researcher who discovered a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain vehicle information.

The company patched the flaw reported by Nullze with the release of version 2020.4.10 in mid-February. Software updates are automatically pushed to Tesla vehicles, and users can either install them immediately — if they are not about to drive the car — or schedule them for later.

Tesla owners who have yet to install the update can test the vulnerability by using a proof-of-concept (PoC) exploit made available by Nullze. The expert has also published several videos showing the exploit in action.

Nullze said he started looking at the security of Tesla cars after seeing Amat Cama and Richard Zhu win a Tesla at the Pwn2Own 2019 competition after they hacked the vehicle’s web browser.

Related: Tesla Breach: Malicious Insider Revenge or Whistleblowing?

Related: Tesla Model X Hacked by Chinese Experts

Related: Hackers Can Clone Tesla Key Fobs in Seconds

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet