Tesla Model 3 Physical CAN Bus Injection

Physical CAN Bus Injection in Tesla Model 3

Title:

Tesla Model 3 – CAN Bus Injection via Externally Accessible Connector Enables Unauthorized Unlocking, Ignition Activation, and Vehicle Control

Affected Vehicle:

Tesla Model 3 (Tested on software version v11.1 – 2023.20.9 ee6de92ddac5)

Issue mitigated in part in firmware version 2023.44

Description:

A critical vulnerability was identified in the Tesla Model 3’s vehicle network that allows an attacker to inject malicious CAN messages without needing key-based authentication or internal physical access. The attack path originates from an externally accessible connector. This connector provides direct access to the in-vehicle CAN bus without requiring any bypass of physical or cryptographic protections.

Upon connecting to this interface, the attacker can transmit specifically crafted CAN frames to control essential vehicle functions.

Impact:

By exploiting this vulnerability, an attacker with physical access to the external area can remotely unlock the vehicle, enable ignition, and potentially place the vehicle into a driveable state—without possessing a valid key or opening the door.

Attack Vector:

Physical access to easily accessable connector:

No cryptographic checks bypassed

No secure gateway protection in path

Reproducibility:

Confirmed. This injection was repeatable without vehicle disassembly, key fob possession, or software tampering.

Mitigation:

Tesla addressed the remote start signal injection in firmware version 2023.44. The unlocking signal remains active and under further review.

Disclosure Timeline:

Vulnerability reported to Tesla Product Security by ASRG on April 28, 2025

Tesla acknowledged and partially addressed the issue in subsequent firmware

CVE requested and assigned via ASRG Disclosure Program

Discoverer:

N. Saka at Plaxidityx