In testimony before the United States Senate Commerce Committee last week, Tesla Inc. Vice President of Vehicle Engineering Lars Moravy gave lawmakers a confident assertion about his company’s cybersecurity posture.
When pressed on whether anyone has ever been able to take control of a Tesla, Moravy replied with an unequivocal “no.”
His answer was intended to reassure policymakers who are weighing federal standards for autonomous vehicles (AVs) and connected car security. But that statement stands at odds with a well-documented history of cybersecurity intrusions in Tesla systems.
Moravy’s claim look straightforward enough: Tesla’s driving controls reside behind a “core-embedded” layer that cannot be accessed externally, and independent attempts to breach that layer have never succeeded, he said.
Even when pushed, he insisted there is no historical example of anyone commandeering a Tesla from afar. But, arguably, his choice of words glosses over the nuance of documented past research.
2017: The “Mothership” Breach That Shocked the Industry
Electrek remembers a landmark incident nearly a decade ago as the most striking contradiction to Tesla’s Congressional claim.
In 2017, a security researcher named Jason Hughes — widely known by his handle WK057 — uncovered a chain of vulnerabilities that gave him access to Tesla’s so-called “Mothership” server.
This central node served as the communications backbone for the entire Tesla fleet, enabling Tesla to send updates and commands to vehicles around the world.
Hughes’ exploit did not rely on physically opening a car or exploiting a Bluetooth or Wi-Fi link. With nothing more than a VIN (vehicle identification number), he was reportedly able to authenticate as any Tesla unit in existence.
Using that access, he sent commands to a nearby vehicle and activated the car’s Summon feature from hundreds of miles away. Tesla quickly paid him a high-tier reward and patched the vulnerabilities, but the implications were real: a single individual successfully bridged from remote network access into vehicle control commands.
2016 Hack Demonstrates Remote Vehicle Control
That was not the only episode of this sort. In 2016, researchers from Keen Security Lab demonstrated a remote attack on a Model S that accessed the vehicle’s internal controller network, or CAN bus.
Through that remote exploit, the team were able to manipulate safety-critical systems including braking, steering signals and other functions. Tesla responded swiftly with patches. While the swift patch reflected responsible disclosure, the fact remains that these systems were breached successfully outside of a controlled lab environment.
Security professionals might point out that neither of these breaches ended in reported malicious misuse on public roads. After all, Tesla’s bug bounty program and internal improvements have made progress on hardening systems, and the company now participates in high-profile hacking contests such as Pwn2Own Automotive.
That event itself recently highlighted even more latent vulnerabilities in Tesla hardware and software, including infotainment systems being rooted by security teams demonstrating zero-day exploits.
Where Meaning and Words Diverge
Granted, one might say that what Moravy appears to have meant in his Senate answers is that no bad actor has been caught exploiting these vulnerabilities against drivers on a public road. But his phrasing left room for misinterpretation.
Statements that “no one has ever been able” blur the line between tested controlled exploits by white hat researchers and hypothetical real-world attacks.
By that logic, Waymo Chief Strategy Officer Mauricio Pena shouldn’t have answered in affirmative either when asked the same question by the same committee.
Waymo executives clarified at the hearing that their vehicles sometimes rely on remote human guidance, but this does not mean bad actors or hackers have taken control.
Waymo employs “fleet response agents,” which is a fancy way of saying trained staff who can provide input when the software encounters unusual or complex situations. These agents can suggest routes or actions, but the autonomous system itself retains control over steering, braking, and acceleration.
Waymo vs. Tesla: Remote Guidance, Cybersecurity, and the Battle for Public Trust
It was widely implied that the ride-hailing company admitted to losing or ceding control of its technology to outside actors, but Waymo confirmed that outside entities have never seized control of its cars. The guidance system is internal, secure, and designed to support safety, not override it.
Lawmakers pressed the issue because the public often assumes “remote control” means vulnerability to hacking. Waymo emphasized that guidance is advisory, not direct control, and that cybersecurity protections are in place.
So, yes, Waymo ultimately acknowledged outside input exists, but it’s from their own trained staff, not malicious actors.
Perhaps Tesla’s people denied the existence of outside control of its cars because they understood this distinction matters for public trust, policy framing and future federal regulation.
It’s beyond interesting that the company with zero public reports of malicious actors breaching its internal vehicle control systems or taking over steering/braking is the one ‘pleading guilty’ while the one with well-documented incidents posits total innocence.
The closest thing to a documented Waymo hijack is the 2025 incident, where a prankster coordinated 50 simultaneous ride requests to create a robotaxi traffic jam in San Francisco. This was dubbed the “first Waymo DDoS,” but it exploited the app’s normal functionality — not a hack of vehicle control systems.
We might even add that Waymo cars have been vandalized (tires slashed, vehicles set on fire), but those are external acts, not cyber intrusions.
Tesla’s vulnerabilities, on the other hand, showed direct remote access into vehicle control systems. Waymo’s incidents so far have been service disruptions or vandalism — never hostile cyber intrusions into the driving stack.
Tesla’s push to influence federal autonomous vehicle policy is happening amid rising scrutiny of its autonomy suite and remote features.
The U.S. National Highway Traffic Safety Administration (NHTSA) has been investigating various Tesla remote driving features due to crash reports and software behavior in consumer-facing systems. These probes add another layer of complexity to discussions about cybersecurity and safety assurance.
Why Precision Matters
Indeed, history has taught us that automotive cybersecurity is an evolving battleground where staged vulnerabilities, responsible disclosures, and defensive patches all play a role. As such, it isn’t inaccurate to say that current Tesla vehicles are more secure than those in 2016 or 2017.
View this post on Instagram
But to assert that no one has ever taken control of a Tesla’s operational systems disregards the publicly documented incidents of past researchers doing exactly that.
For lawmakers sculpting the future regulatory framework, accuracy in testimony should amount to more than just semantics. It has to be essential to crafting effective public policy for a future dominated by connected and autonomous vehicles.
Sources: TESLARATI