-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Be careful where you let your car ride on wifi in the coming weeks
- Thread starter verygreen
- Start date
-
- Tags
- security Tesla Inc.
NerdUno
Member
Wasn't questioning your integrity all. Just observing that, as an anonymous user, you set an incredibly high bar for merely passing along a security alert to someone you said you knew. It probably would have taken less than 5 minutes of effort at the Tesla end to verify whether or not this was a serious breach. Pretty small price to pay compared to what you were asking for.
For those really wondering, here's your signed file. Grab the matching public key for verification from your car or from the maps aws ssh server.
Code:
KbhAHUkN+od2MoHH5doC7ZGLdyroSi1DwShT11GjIAwIECrW2avrDfJkDhehiWm1
jU3LVQtT21VqgQMLzAYqGAQ64xsY7x+C/0cZRWO+TrlEdDBQqPkHtzsY4/lQ3MX/
8f2gS7EXJ5TinodI+EMZum13uq7zpH8Lht0k4DBs3LRNP2UMHLCtpnxTtT634zhT
Pjs+fCHe1Nddv+0eRP6B3va53hlWaWi9JHZxPINcNeyONX3IG+Bsdz1hr0r5W/L5
rZkvub5hjrvA501QiRvXEbavVbKfAvNu2y/aXoUF7eN7VyryxGICqTmsoK4/OmND
2hFlXZSbZqwdk/abU3OgYQ==
Last year I submitted a issue to Bugcrowd for Tesla's bounty program. They had it patched within roughly 12 hours and I was paid very promptly. I would say that the program worked great on all sides.
I have said this many times. TMC escalation is one of the most effective ways of getting Tesla's attention.
My point is that when Bugcrowd took the lead they were very fast and good.
3:24PM issue submitted
8:41PM submission under examination by Bugcrowd and the Client. You may be asked to provide additional technical detail to aid in the investigation.
8:44PM Thank you for letting us know. We've notified our web-team and they have issued a patch, could you verify that the issue has been fixed?
4 days later: Congratulations! Tesla has awarded $xxx for your submission...
Here is the email I got from Tesla when trying to submit it directly to them.
From: "Vulnerability Reporting" <[email protected]>
Hello,
If you are looking to submit a vulnerability on our website (i.e. www.teslamotors.com) - please report those vulnerabilities here: Tesla’s bug bounty program | Powered by Bugcrowd
If you are reporting a product related security vulnerabilities, this is the correct place. If you have not already, consider using out GPG key here: https://www.teslamotors.com/sites/default/files/downloads/teslavulnerabilitypgp.asc
Thank you,
Tesla Information Security
Wasnt there an incident when @wk057 found something in the firmware and posted an encrypted message on twitter at 3 am with someone at Tesla encrypting it in a matter of hours and contacted him? And that was about the new then 100D or something. I mean, how come that thing got so much attention in matter of hours and this, much more serious issue, is unanswered for MONTHS?!?!
Something is amiss
Something is amiss
Publicity seems to be a great motivator.
Sadly it seems like a trend that the way to grab the attention of a tech company is to tweet at them or otherwise escalate via the media. Otherwise things slip through the crack. Tesla said they didn’t get verygreen’s email. Not sure if I believe that or not
Well, we will never know, but anyone from IT knows that this is easily verifiable - check the logs and everything will be clear if an email was delivered, where was it delivered to, and what happened to that email since then.
If in fact an email was received but "slipped through the cracks", the person who allowed that email to "slip through the cracks" should definitely be fired. This is much larger problem that Aaron using "discounts" in his email and getting canned for that. Here, we are talking about leaving the key the the house at the front door.
I completely agree but assuming that none of us work at Tesla in their IT department it’s unclear if we can ever get the answers we want. We either have to believe Tesla or believe verygreen.....
That may be a bit extreme. Since the key was for the map server, it may be more akin to letting someone swap your newspaper.
Some might even appreciate 3rd party map severs with adjusted speed limits... Great, now I have Quake maps running through my head.
NerdUno
Member
Keep in mind that Tesla lost numerous senior staff during 2017. This probably fell under the purview of at least one of them. I doubt they were motivated to do the honorable thing on the way out the door.
HankLloydRight
No Roads
I believe he posted an easily decoded/crackable hash that almost anyone could figure out that led to the (previously un-announced) 100D logo/image. It was a thinly veiled way to release the information without actually releasing the information.
Immediately following that Tesla tried to downgrade his firmware without his permission.
(At least this is how I remember it, I might be a little off).
Yes, yes, yes! That one! I mean, the mere possibility of leaking a new product got their attention and immediate response/retaliation but this - got nothing (at least at first). Seems that they are in contact with verygreen now.
Except that newspaper is being processed by Tesla's navigation software containing with a near 100% guarantee bugs related to processing maps in an unexpected format which means user level access on at least one device on the internal bus etc... Security is no joke.