New research from Northeastern University reveals vulnerabilities in Tesla's Model 3 and Cybertruck that allow hackers to track vehicles and disrupt communications via wireless systems. The study highlights broader security issues in modern connected cars, which rely on persistent cellular connectivity. Researchers emphasize that these risks extend to most vehicles using similar modem components.
Hackers could exploit the 4G LTE connectivity in Tesla’s Model 3 and Cybertruck to track vehicles, disrupt communications, and interfere with network performance, according to a study by Northeastern University researchers. The research, conducted by Aanjhan Ranganathan, a professor in the Khoury College of Computer Science, along with doctoral students Evangelos Bitsikas and Jason Veara, focused on the vehicles' wireless systems.
Modern connected cars, described as “computers on wheels,” feature cellular and Wi-Fi modems, GPS, Bluetooth, and vehicle-to-everything (V2X) technologies for safety features. Unlike smartphones, these vehicles maintain persistent connectivity for remote diagnostics, over-the-air (OTA) updates, and application communications, making them harder to monitor or control.
“The most important takeaway for someone buying a car is understanding that modern vehicles are always-on networked devices that you cannot control or monitor,” said Ranganathan.
A key vulnerability identified is IMSI catching, where hackers use IMSI catchers—devices mimicking cell towers—to capture International Mobile Subscriber Identity numbers during network attachments. This enables location tracking and can force vehicles into less secure modes or intercept data traffic.
“Any system that uses a cellular modem can be placed in situations where a nearby ‘fake tower’ can influence how it connects, especially if the attacker is physically close,” said Bitsikas. He added, “Importantly, this doesn’t automatically mean ‘remote control of the car,’ but it can impact communications and privacy (e.g., backend communication with Tesla servers).”
The study also found issues with SMS and emergency services systems, allowing spamming, fake alerts, and denial-of-service attacks. “The risk is less ‘someone hacks the whole car via one text,’ and more that message channels can be abused, spoofed or used for nuisance/engineering attacks depending on how the receiving system is designed,” Bitsikas explained.
These vulnerabilities stem from cellular modems supplied by Qualcomm and Quectel, affecting most modern connected cars. “Therefore, the problem is pretty much applicable to all modern connected cars,” said Ranganathan.
Consumer Reports loaned the 2024 models for testing. The researchers disclosed findings to Tesla, which acknowledged weaknesses in third-party modem stacks. Northeastern Global News sought comment from Tesla but received none.
Mitigation suggestions include upgrading to 5G for stronger identity protection, eliminating 2G and 3G fallbacks, and aligning with United Nations and International Organization for Standardization cybersecurity standards. For consumers, Ranganathan noted: “When you buy a connected car, you’re accepting a cellular connection that you cannot turn off or disable or switch to a preferred network.”
Research on connected car security is limited due to access difficulties, costs, and ethical challenges.
