Tesla Telematics Control Unit Authentication Bypass Vulnerability Allowing Root Access via ADB

An authentication bypass vulnerability has been identified in Tesla's Telematics Control Unit (TCU) firmware versions prior to 2025.14. This vulnerability allows physical attackers to bypass the ADB lockdown feature, which is intended to prevent shell access on production devices. The TCU's ADB daemon runs with root privileges, and although the lockdown check disables shell access, it still allows file transfers and port forwarding. Exploitation involves writing a file to a writable location and using it to overwrite kernel parameters, triggering the execution of a script with root privileges.

Impact

Exploitation of this vulnerability grants root access on the affected TCU, allowing for full control over the unit.

Reproduction

The vulnerability can be reproduced by connecting a device to the TCU's exposed USB port and creating a udev rule to allow ADB access. After verifying the connection, the ADB lockdown can be bypassed by using ADB commands to write files as root. The uploaded files can then be used to exploit the ADB authorization bypass by overwriting kernel hotplug entries, which triggers the execution of a payload script with root privileges.

Remediation

Users can update to Tesla TCU firmware version 2025.14 or later, which removes the ADB access via the Micro USB port, effectively closing this vulnerability.