A security vulnerability in Tesla’s Telematics Control Unit (TCU) allowed attackers with physical access to bypass security measures and gain full root-level code execution.
The flaw stemmed from an incomplete lockdown of the Android Debug Bridge (ADB) on an external Micro USB port, enabling a physically present attacker to compromise the vehicle’s TCU. Tesla has since patched the vulnerability via an over-the-air (OTA) software update.
According to NCC Group, the vulnerability was present in Tesla firmware version v12 (2025.2.6). While Tesla implemented logic to block direct shell access via adb shell on production devices, researchers discovered this lockdown was insufficient.
It failed to prevent two critical ADB features: the ability to read and write files as the root user, using adb pull and adb push, and the ability to forward network traffic with adb forward.
Since the ADB process (adbd) on the TCU runs with root privileges, these oversights created a powerful attack vector.
Tesla’s Telematics Control Unit Vulnerability
An attacker could exploit this flaw by physically connecting a device to the TCU’s exposed Micro USB port. The attack involved several steps:
- Upload a Payload: The attacker would use the
adb pushcommand to upload a malicious executable script to a writable directory on the TCU, such as/tmp. - Trigger Execution: The attacker would then abuse the kernel’s
uevent_helpersubsystem. By writing the path of their malicious script to theuevent_helperfile, they could trick the kernel into executing it with root privileges when a system event was triggered. - Gain Access: A simple action like reading a file with
adb pullwas enough to trigger a uevent, causing the malicious script to run. In the proof-of-concept, the script started a Telnet server, which the attacker could then connect to using a port forwarded viaadb forward, granting them a root shell on the device.
The impact of this vulnerability is severe, as gaining root access on the TCU gives an attacker complete control over that component. While the attack requires physical access, a compromised TCU could potentially serve as a pivot point for further attacks on the vehicle’s internal network.
The vulnerability was responsibly disclosed to Tesla on March 3, 2025. Tesla acknowledged the report the following day and began rolling out a patch in firmware version 2025.14 on April 24, 2025.
The fix resolves the issue by completely disabling the ADB interface on the Micro USB port for production vehicles, ensuring it can no longer be used as an attack vector.
The public advisory was released by NCC Group on September 29, 2025, after the patch was widely deployed. This incident highlights the ongoing efforts by security researchers to probe automotive systems and the effectiveness of Tesla’s OTA update mechanism in rapidly deploying security fixes to its fleet.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
