All Discussion re: Tesla Motors Website & Forums

[HankLloydRight]

Just throwing this out there.. If they redirected the DNS for the teslamotors.com domain, I would suspect if they did it right and also accepted SSL connections on sub domains, and the tesla mobile app is set to ignore SSL certificate warnings (possible), that the attackers could be collecting My Tesla login credentials of anyone that attempts to connect during the outage. Many "ifs" here, but it is possible.

 

[thegruf]

As others have mentioned, this is a DNS issue. The hacker(s) got into the system of the domain host (Network Solutions, Inc.) and simply changed where teslamotors.com points. I seriously doubt there was anything beyond that done. No intrusion into the internal or external systems at Tesla, just hijacked where teslamotors.com points. T

This may have very serious consequences yet. *IF* what has happened is that an attacker has penetrated the domain host
Getting into the admin panel of a domain host can give access to all sorts of records, A records, MX records, ftp acounts etc. Passwords for these usually, but not invariably are encrypted. New records and ftp accounts can be administered.

So there will be plenty of FUD about this, and actually some justifiably so.

The dust needs to settle and Tesla need to be very open about what has occurred, how and the scope.

Countless sites get hacked, so this isn't the first or last time this will happen.
99% of the time it is just boring.

 

[araxara]

I was checking the DNS resolution of teslamotors.com when this first got hacked and got
$ host teslamotors.com
teslamotors.com has address 95.85.49.151
teslamotors.com mail is handled by 5 mailforward1.cloudns.net.
teslamotors.com mail is handled by 10 mailforward2.cloudns.net.
$ host 95.85.49.151
Host 151.49.85.95.in-addr.arpa. not found: 3(NXDOMAIN)

Now I get
$ host teslamotors.com
teslamotors.com has address 178.32.152.214
teslamotors.com has address 5.254.113.29
teslamotors.com has IPv6 address 2a00:1768:1001:9::10
teslamotors.com mail is handled by 10 mailforward2.cloudns.net.
teslamotors.com mail is handled by 5 mailforward1.cloudns.net.
$ host 178.32.152.214
Host 214.152.32.178.in-addr.arpa. not found: 3(NXDOMAIN)
$ host 5.254.113.29
29.113.254.5.in-addr.arpa domain name pointer 5.254.113.29.reserved.voxility.com.

All these IP addresses are managed by ClouDNS.net. Typing the IP addresses in a web browser yields
This IP address is managed by ClouDNS. If you see this page on your domain name, please contact support [at] cloudns.net

 

[HankLloydRight]

This may have very serious consequences yet. *IF* what has happened is that an attacker has penetrated the domain host
Getting into the admin panel of a domain host can give access to all sorts of records, A records, MX records, ftp acounts etc. Passwords for these usually, but not invariably are encrypted. New records and ftp accounts can be administered.

They didn't penetrate the domain host, they spoofed the DNS system to redirect the web requests.

Also. I'd bet dollar to donuts that Tesla (a) runs their own web servers and (b) doesn't run things like CPanel or other amateur web hosting control panels.

Even if they got into the DNS account at NetSol, that's not the same thing as a web server/domain host or admin panel.

 

[thegruf]

Guys just so you know you don't have to be too concerned with this hack. They did not compromise Tesla's web site or systems in any way. They basically got a password to the networksolutions.com website where they can changed the IP which the name 'teslamotors.com' points to. So now you see their web page on their server instead of Tesla's servers. I'm not saying don't change your passwords but just thought it might give some people a bit more peace of mind.

That's a bold statement, with too many assumptions for me at this stage.
Access to the domain host admin panel can have far reaching effects.

It is implausible that this attack has not been planned some way in advance, and unlikely they just went for the flash publicity but will have had a more considered agenda behind this.

If they do have access to the domain administration, how long have the had this for and what have they been doing before this all came to light on the website/twitter feed?

 

[wk057]

Yeah, doesn't look like Tesla was hacked at all. However the hacker got into Network Solutions and changed DNS.

Unfortunately, this is bad. The attackers have *.teslamotors.com pointed to some Romanian IPs. They also have *@teslamotors.com mail intercepted. This would explain the twitter hacks. (Tell twitter to reset the password, get the email, get in).

They don't appear to have an https server up, which is good I guess.

 

[doctorwho]

I'm still getting an error on the main page

Service Unavailable - DNS failure

The server is temporarily unable to service your request. Please try again later.Reference #11.74dd54b8.1430005292.3c1239ce

 

[OConnorStP]

DNS and javascript

Interesting. teslamotors.com, the "www" version, and "my" version all point at 5.254.113.29 for me. a whois lookup on that domain shows it allocated to Globalcity Telecom S.R.L in Romainia. there's a little sneaky javascript gizmo on the teslamotors.com site which is pointing at a weird ISIS.CAMP domain name.

 

[SomeJoe7777]

Guys just so you know you don't have to be too concerned with this hack. They did not compromise Tesla's web site or systems in any way. They basically got a password to the networksolutions.com website where they can changed the IP which the name 'teslamotors.com' points to. So now you see their web page on their server instead of Tesla's servers. I'm not saying don't change your passwords but just thought it might give some people a bit more peace of mind.

Two things:

A) Yes, from our limited data gathering that we can do in the absence of anything official from, it appears that DNS was changed. But this may or may not be the extent of the compromise. We don't know.

B) Let's suppose that the DNS explanation is factual and that's all that was compromised. If your app was running on your phone or Visible Tesla was running on your computer, those applications attempted to contact Tesla's servers via DNS. Because of the hacked DNS changes, they instead reached the hacker's server, and attempted to send your login cookie to them. :scared: The apps may not have succeeded because they are supposed to connect with HTTPS, and it's highly unlikely the hackers could have forged Tesla's SSL certificate, but you never know.


Even if DNS changes were all that happened, your login could indeed still be compromised and that necessitates a password change when Tesla's systems are back up. If this is true, then in the meantime the hackers could conceivably use your login cookie that they may have to contact Tesla's real servers by IP address and issue commands to the car just like Visible Tesla does. For myself, I'm disabling remote access to the car until I can change my Tesla password.

 

[thegruf]

lot of things being stated as known facts here ...

I'll wait some before trying to ascertain what the facts are out of a considerable range of possibilities.

 

[supratachophobia]

I would still be concerned. They still have portal pages that have A records off the main domain. Especially if the hackers were logging incoming requests. Also, I'm not sure if employees are forced to authenticate over VPN first if they are outside of the office or a service center.

They have potential breeches or at least otherwise setup/infrastructure information to one or more of the following systems: salesforce, my garage, lync, exchange, and then whatever systems handle app/remote access for owners

Interesting tidbit, I do know all laptops have mandatory hard drive encryption with the onboard TPM chip.

 

[wk057]

I'm still getting an error on the main page

Service Unavailable - DNS failure

The server is temporarily unable to service your request. Please try again later.Reference #11.74dd54b8.1430005292.3c1239ce

Your PC/ISP hasn't flushed DNS cache yet and you're still connecting to the actual server... which is broken without DNS.

- - - Updated - - -

Interesting. teslamotors.com, the "www" version, and "my" version all point at 5.254.113.29 for me. a whois lookup on that domain shows it allocated to Globalcity Telecom S.R.L in Romainia. there's a little sneaky javascript gizmo on the teslamotors.com site which is pointing at a weird ISIS.CAMP domain name.

It's not Javascript, it's an HTTP 301 redirect:

* Connected to wwws.teslamotors.com (5.254.113.29) port 80 (#0)> GET / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6
> Host: wwws.teslamotors.com
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Date: Sat, 25 Apr 2015 23:52:14 GMT
< Content-Type: text/html
< Content-Length: 0
< Connection: keep-alive
< Location: http://isis.camp/
< Vary: Accept-Encoding
< Server: cloudns-nginx

 

[stopcrazypp]

Just wanted to point out that I assumed Network Solutions ran their DNS servers in my earlier posts, but it's possible Tesla is using a different provider other than the registrar. I see references to both cloudns.net and ultradns.net depending on which whois site I go to, so those may actually be the ones that got compromised. Ultradns.net is used by Amazon.

I get the following:
nslookup teslamotors.com NS11.CLOUDNS.NET: 178.32.152.214
nslookup teslamotors.com UDNS1.ULTRADNS.NET: 188.226.230.145

I'm using AT&T and my default goes to:
dnsr1.sbcglobal.net which gets 188.226.230.145

 

[OConnorStP]

Taking a car off the 'net

So for me, giving the car a little break from internet access is easy 'cause I live out in the middle of nowhere and control all the networks the car sees (no ATT phone access out here). But suppose the intruders set up a situation where they're intercepting traffic to the cars and mucking about. How would people in range of ATT remove their car from the 'net? Not really a question that needs answering this minute, but an interesting attack surface.

 

[rpo]

The MyTesla site is being redirected to something starting with "isis.camp" as of right now. That's probably why the mobile app and VisibleTesla are not working.

 

[wk057]

Looks like the DNS server settings are fixed at NetSol now. However.... the hackers had a 172800 second TTL on the hacked NS records. :-\

So, going to be remnants of this for about two days.

 

[thegruf]

Looks like the DNS server settings are fixed at NetSol now. However.... the hackers had a 172800 second TTL on the hacked NS records. :-\

So, going to be remnants of this for about two days.

2 days? ...and some I should think.
Its going to cr*p on Elon's April 30th announcement for sure

 

[ION eDRV]

The MyTesla site is being redirected to something starting with "isis.camp" as of right now. That's probably why the mobile app and VisibleTesla are not working.

Same here...will my nav take me to Isis.camp??

 

[tliving]

Also if its just a DNS hack, how does that explain the twitter account hacks? It seems to have been more coordinated.

 

[jdo]

Can someone explain to us non-network types (okay, maybe just to me): if the problem is that the DNS servers are redirecting teslamotors.com to a bogus IP address, then why can't we just access the site by typing in the IP address directly?