News
Tesla cybersecurity measures fail, hackers win Model 3 at hacking event
Tesla has been hacked at the Pwn2Own hacking event, and the hacking group has taken home a Tesla Model 3 and $100,000.
As electric vehicles and their significant amount of integrated software have become more common in everyday life, the security around them has become significantly more critical. In the worst-case scenario, a hacker could not only gain access to a car but could leak user data or even take control of the vehicle. Now, at the Pwn2Own hacking competition, a group of hackers successfully hacked a Tesla Model 3 and won the vehicle along with a $100,000 prize.
The successful hack completed by the group Synactiv was initially reported by the Zero Day Initiative Twitter account, revealing that the group had used a TOCTOU exploit to gain access to the vehicle.
One of the main highlights from Day One of #Pwn2Own Vancouver 2023: @Synacktiv vs the Tesla Model 3. Their successful demonstration earned them $100,000 and the car itself pic.twitter.com/d7TY5mKHxK
— Zero Day Initiative (@thezdi) March 23, 2023
CONFIRMED! @Synacktiv successfully executed a TOCTOU exploit against Tesla – Gateway. They earn $100,000 as well as 10 Master of Pwn points and this Tesla Model 3. #Pwn2Own #P2OVancouver pic.twitter.com/W61NasJPAl
— Zero Day Initiative (@thezdi) March 22, 2023
Thanks to the nature of the hacking competition, the details of how the hack was performed have not been made entirely public to avoid a security risk for Tesla owners. Still, the method the hackers used was relatively straightforward.
The TOCTOU (Time-Of-Check Time-Of-Use) exploit involves altering internal files to gain system access. In essence, the hackers are altering the files that a system will check to ensure someone actually should have access. This could, for example, involve changing login credentials to allow yourself access. However, as the name suggests, this is highly time-dependent, as it involves using the discrepancy of time between the system checking the files and a person actually being logged in.
Pwn2Own is one of the most famous hacking events in the world. It involves teams of hackers attempting to gain access to some of the most popular software available on the market. Each group of hackers and security researchers will be given a list of devices and software and a series of objectives to achieve. The first team to navigate through the list gains a cash prize. In this case, for completing this step of the competition quickest, the Synactive team won the Tesla Model 3 that they hacked.
With software becoming ever more interconnected with the vehicles we drive, focusing on keeping that software secure will only become more important as time passes. And with the increasing interconnectedness of these car systems, the consequences of not keeping these systems secure will only become more dire. Hopefully, automakers will take this threat seriously and continue to work to keep their items as safe and secure as possible.
What do you think of the article? Do you have any comments, questions, or concerns? Shoot me an email at william@teslarati.com. You can also reach me on Twitter @WilliamWritin. If you have news tips, email us at tips@teslarati.com!
News
Elon Musk secretly acquires $1B energy company to power the AI future
Elon Musk flew under the radar with his recent purchase of a $1 billion energy company, according to Federal Trade Commission (FTC) documents.
Transaction number 202612350 listed Tesla and SpaceX frontman Elon Musk as the acquiring party and CF APR Super Holdings LLC as the seller, with New APR Energy, LLC as the acquired entity. The deal, which closed without public announcement, came to light on May 14.
BREAKING: Elon Musk acquires Jacksonville power company APR Energy in a deal valued at more than $1,000,000,000.00.
— Polymarket Money (@PolymarketMoney) July 15, 2026
Analysts inferred the deal’s scale from minority stakeholder disclosures, including one report of a 5 percent interest sold for approximately $50.4 million. Fortress Investment Group had purchased APR’s assets in late 2024, rebranded the operation as New APR Energy, and subsequently transferred ownership to Musk.
APR Energy specializes in rapidly deployable power infrastructure. The company maintains one of the world’s largest fleets of mobile gas and diesel turbines, with more than 1.1 gigawatts of generation capacity. Its modular units, which are often trailer-mounted, enable turnkey installations ranging from 20 MW to over 500 MW.
APR provides full engineering, procurement, construction, operation, and maintenance services for behind-the-meter power plants, serving everything from data centers, utilities, and industrial clients.
The firm has expanded aggressively to meet surging demand, recently adding turbines and deploying over 100 MW for a major AI hyperscaler. Its solutions bridge critical gaps where grid interconnections face delays of two to five years, according to Yahoo.
The acquisition means something more for Musk. As he continues to expand projects in artificial intelligence, especially xAI, his AI venture, there is a greater need to supply energy-intensive supercomputing clusters, including the Colossus project, with what they need: reliable and high-capacity power.
Ownership of APR provides immediate access to flexible generation assets that can be deployed adjacent to data centers, reducing dependence on a strained infrastructure. It also complements Tesla’s energy storage business, so Musk will be able to pull from his own entities to address the rapid scaling demands of AI training and compute.
News
Tesla has to fix a big problem with its old headlights, NHTSA says
Tesla had a petition protesting a recall to fix a potential issue with 2017-2023 Model Y and Model 3 vehicles’ headlights was denied, as the National Highway Traffic Safety Administration (NHTSA) disagreed with the company’s opinion of things.
The recall covers approximately 19,917 Model Y and Model 3 vehicles built from 2017 to 2023. Tesla initially submitted a noncompliance report for the headlights on these vehicles on March 15, 2024. Tesla then petitioned for an exemption from the fix, which violated FMVSS No. 108 (40 CFR 571.108), arguing that the “noncompliance is inconsequential as it relates to motor vehicle safety.
🚨 Tesla was denied a petition by the NHTSA to avoid a recall of 19,900 2017-2023 Model 3 and Model Y vehicles.
The NHTSA found that the vehicles’ headlights may exceed maximum lighting levels. Tesla argued it was inconsequential and did not require a recall. pic.twitter.com/m8Jmm1teLL
— TESLARATI (@Teslarati) July 16, 2026
The NHTSA disagreed, stating that Tesla’s conclusion that the headlights do not increase any risk was not an opinion it shared. The agency said it disagreed with Tesla’s assumption that glare is not increased to surrounding traffic. This issue could be highlighted even more in certain weather conditions.
Tesla will be required to remedy the issue, the NHTSA ruled:
“In consideration of the foregoing, NHTSA has decided that Tesla has not met its burden of persuasion that the subject FMVSS No. 108 noncompliance is inconsequential to motor vehicle safety. Accordingly, Tesla’s petition is hereby denied, and Tesla is consequently obligated to provide notification of and free remedy for that noncompliance under 49 U.S.C. 30118 and 30120.”
The issue here appears to be the angle of the headlights and the brightness they emit during operation. The NHTSA report states that:
“Tesla’s headlamp supplier, Marelli Automotive Lighting, tested 25 right-hand and 25 left-hand lamps, and for this sample, found the maximum photometric intensity measured in the 10°U to 90°U and 90°L to 90°R zone was between 136.2 cd and 230.1 cd for the right-hand lamps and between 117.5 cd and 160.3 cd for the left-hand lamps. According to Tesla, these tests revealed that the photometric intensity of the right-hand and left-hand headlamp lower beam on the subject vehicles may measure as much as 230.1 cd in the 10°U to 90°U and 90°L to 90°R zone, exceeding the maximum photometric intensity by 105.1 cd. Additionally, Tesla states that a left-hand lamp tested by a Transport Canada recognized laboratory measured a maximum of 171.27 cd in the 10°U to 90°U and 90°L to 90°R zone. Despite these measurements exceeding the allowed photometric maximum of 125 cd, Tesla believes that the subject noncompliance is inconsequential to motor vehicle safety.”
Tesla also argued at some points that the headlights had not been deemed responsible for any complaints, accidents, or injuries related to the noncompliance.
Lifestyle
NTSB findings on fatal Tesla crash tell a very different story
The NTSB confirmed the driver, not Tesla’s FSD, caused the fatal Texas house crash.
The National Transportation Safety Board released preliminary findings Wednesday confirming that a Tesla driver, not the vehicle’s software, caused a fatal crash in Katy, Texas in June. The driver, 44-year-old Michael Butler, had engaged Full Self-Driving Supervised mode on Rose Hollow Lane, a residential street with a 30 mph speed limit, before manually overriding the system by pressing the accelerator pedal all the way to 100%. Data recovered from the 2025 Tesla Model 3 showed the vehicle was traveling over 70 miles per hour when it struck a home and killed 76-year-old Martha Avila, who was inside. Weather was clear, the road was dry, and it was daylight.
Texas man charged in fatal Tesla crash where he blamed Autopilot
Butler told authorities he had passed out at the wheel. But security camera footage obtained by the NTSB told a different story, and showed the car accelerating through an intersection before leaving the road entirely. Police also found that Butler’s phone had Google searches including the terms “Tesla FSD not aggressive enough 2026” and “Tesla FSD too timid,” raising serious questions about how he was using the system before the crash. Butler has since been charged with manslaughter. The victim’s family has filed a lawsuit against both Butler and Tesla, alleging negligence.
The NTSB findings aligned directly with what Tesla VP of AI Software Ashok Elluswamy had already stated publicly on X in the weeks after the crash, writing that “the driver manually overrode self-driving by pressing the accelerator all the way to 100%.” The data confirmed his account.
Yup. In this case, the driver manually overrode self-driving by pressing the accelerator all the way to 100% of the accel pedal in this residential area. They reached a speed of 73 mph during the crash, and had the accelerator pressed even after the crash.
— Ashok Elluswamy (@aelluswamy) June 22, 2026