Tesla Patches TCU Bug Allowing Root Access Through USB Port

A vulnerability in Tesla’s telematics control unit (TCU) allows attackers with physical access to gain full root-level code execution, raising concerns over the security of connected vehicles. 

The flaw has since been patched through an over-the-air (OTA) software update, but the incident underscores the ongoing challenges in securing automotive systems.

“Tesla’s telematics control unit (TCU) was vulnerable to a bypass of the ADB lockdown logic implemented by Tesla, which is designed to prevent attackers from gaining shell access to production devices.” NCC Group researchers said.

The stakes: root access in your car

The vulnerability affected Tesla firmware version v12 (2025.2.6) and centered on the TCU’s external Micro USB port. 

Although Tesla had disabled direct shell access via adb shell, researchers discovered that two key ADB features remained available: file transfer with adb push/adb pull and port forwarding with adb forward. 

Because the ADB daemon (adbd) runs with root privileges on the TCU, these oversights gave attackers a straightforward path to execute arbitrary code.

Breaking in: step-by-step exploit

An attacker with physical access to a Tesla vehicle could connect a device to the TCU’s Micro USB port and leverage ADB’s residual functionality. 

The exploit proceeded in three steps:

1. Payload delivery: The attacker used adb push to upload a malicious script (e.g., /tmp/telnetd.sh) into a writable directory.
2. Privilege escalation: By writing the script’s path to the kernel’s uevent_helper file, the attacker tricked the system into executing it with root privileges once a system event was triggered.
3. Remote shell access: A simple command, such as adb pull /etc/passwd, generated the needed event, causing the script to run and start a Telnet server. Using adb forward, the hacker could then connect remotely and obtain a root shell.

In its proof-of-concept, NCC Group demonstrated that the attack reliably provided unrestricted access to the TCU. Although the attack required physical proximity, the ability to compromise the TCU raises concerns about potential lateral movement within the vehicle’s internal network.

The severity of the flaw lies in the elevated privileges it provides. Root access to the TCU could enable modification of core system functions, unauthorized data exfiltration, or serve as a pivot point into other in-vehicle networks.

Although no evidence suggests active exploitation, the disclosure underscores the risks posed by physical attack surfaces — particularly where devices are exposed during service, repair, or tampering.

More broadly, this case reflects the convergence of IT, OT, and IoT risks. Modern vehicles now run complex software stacks comparable to those found in enterprise systems, meaning flaws once considered niche can now pose significant safety and operational risks. 

Closing the door on Tesla’s patch & beyond

While Tesla’s patch addresses the vulnerability, security teams can further reduce risk by implementing additional controls, including:

• Apply OTA updates promptly and treat vendor firmware patches as high-priority to close known vulnerabilities.
• Monitor for unusual system behavior by checking for unexpected services or network activity that may indicate compromise.
• Limit and secure physical access to exposed ports, especially in unattended or high-risk environments.
• Audit and inventory diagnostic or debug interfaces regularly to ensure only essential ones remain enabled.
• Implement tamper detection mechanisms to alert when unauthorized physical access to vehicle components occurs.
• Adopt a layered defense strategy with least privilege and segmentation to minimize the impact of potential breaches.

The Tesla TCU vulnerability shows that even partial lockdowns of administrative tools like ADB can leave critical security gaps. Although this flaw required physical access, its exploitation pathway highlights the need for comprehensive threat modeling and layered defenses.

As vehicles continue to evolve into mobile computing platforms, security teams should view automotive cybersecurity as part of the broader enterprise attack surface.

These same challenges of securing connected systems are increasingly seen in industrial control environments, where the stakes can be even higher.