Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Be careful where you let your car ride on wifi in the coming weeks

Wasn't questioning your integrity all. Just observing that, as an anonymous user, you set an incredibly high bar for merely passing along a security alert to someone you said you knew. It probably would have taken less than 5 minutes of effort at the Tesla end to verify whether or not this was a serious breach. Pretty small price to pay compared to what you were asking for.
 

verygreen

Curious member
Jan 16, 2017
3,031
11,707
TN
For those really wondering, here's your signed file. Grab the matching public key for verification from your car or from the maps aws ssh server.

Code:
KbhAHUkN+od2MoHH5doC7ZGLdyroSi1DwShT11GjIAwIECrW2avrDfJkDhehiWm1
jU3LVQtT21VqgQMLzAYqGAQ64xsY7x+C/0cZRWO+TrlEdDBQqPkHtzsY4/lQ3MX/
8f2gS7EXJ5TinodI+EMZum13uq7zpH8Lht0k4DBs3LRNP2UMHLCtpnxTtT634zhT
Pjs+fCHe1Nddv+0eRP6B3va53hlWaWi9JHZxPINcNeyONX3IG+Bsdz1hr0r5W/L5
rZkvub5hjrvA501QiRvXEbavVbKfAvNu2y/aXoUF7eN7VyryxGICqTmsoK4/OmND
2hFlXZSbZqwdk/abU3OgYQ==
 

Attachments

  • test_message.txt
    36 bytes · Views: 42

Trips

"Boring bonehead questions are not cool. Next?"
Sep 22, 2015
1,239
1,498
Omaha, NE
Tesla runs a bug bounty program. Tesla’s bug bounty program | Powered by Bugcrowd . If genuine, that's where it should be reported.

Of course I got them notified the second I found about this using the way outlined on their website, but it did not really lead to anything.

You would get the public key from your car, obviously, every car has it.

Anyway, I got contacted by Tesla security by email and they are claiming they never got my mail this time (though they did in the past), so they are looking into this.

Last year I submitted a issue to Bugcrowd for Tesla's bounty program. They had it patched within roughly 12 hours and I was paid very promptly. I would say that the program worked great on all sides.
 

Trips

"Boring bonehead questions are not cool. Next?"
Sep 22, 2015
1,239
1,498
Omaha, NE
What's your point, though? @verygreen had contacted Tesla and for him it did not work out.

My point is that when Bugcrowd took the lead they were very fast and good.
3:24PM issue submitted
8:41PM submission under examination by Bugcrowd and the Client. You may be asked to provide additional technical detail to aid in the investigation.
8:44PM Thank you for letting us know. We've notified our web-team and they have issued a patch, could you verify that the issue has been fixed?
4 days later: Congratulations! Tesla has awarded $xxx for your submission...

Here is the email I got from Tesla when trying to submit it directly to them.

From: "Vulnerability Reporting" <[email protected]>
Hello,

If you are looking to submit a vulnerability on our website (i.e. www.teslamotors.com) - please report those vulnerabilities here: Tesla’s bug bounty program | Powered by Bugcrowd

If you are reporting a product related security vulnerabilities, this is the correct place. If you have not already, consider using out GPG key here: https://www.teslamotors.com/sites/default/files/downloads/teslavulnerabilitypgp.asc

Thank you,
Tesla Information Security
 

ABC2D

Active Member
Dec 19, 2016
1,207
1,734
Home
Wasnt there an incident when @wk057 found something in the firmware and posted an encrypted message on twitter at 3 am with someone at Tesla encrypting it in a matter of hours and contacted him? And that was about the new then 100D or something. I mean, how come that thing got so much attention in matter of hours and this, much more serious issue, is unanswered for MONTHS?!?!

Something is amiss
 

chillaban

Active Member
May 5, 2016
3,723
6,599
Bay Area
Wasnt there an incident when @wk057 found something in the firmware and posted an encrypted message on twitter at 3 am with someone at Tesla encrypting it in a matter of hours and contacted him? And that was about the new then 100D or something. I mean, how come that thing got so much attention in matter of hours and this, much more serious issue, is unanswered for MONTHS?!?!

Something is amiss

Sadly it seems like a trend that the way to grab the attention of a tech company is to tweet at them or otherwise escalate via the media. Otherwise things slip through the crack. Tesla said they didn’t get verygreen’s email. Not sure if I believe that or not
 

ABC2D

Active Member
Dec 19, 2016
1,207
1,734
Home
Tesla said they didn’t get verygreen’s email. Not sure if I believe that or not
Well, we will never know, but anyone from IT knows that this is easily verifiable - check the logs and everything will be clear if an email was delivered, where was it delivered to, and what happened to that email since then.

If in fact an email was received but "slipped through the cracks", the person who allowed that email to "slip through the cracks" should definitely be fired. This is much larger problem that Aaron using "discounts" in his email and getting canned for that. Here, we are talking about leaving the key the the house at the front door.
 
  • Like
Reactions: neroden

chillaban

Active Member
May 5, 2016
3,723
6,599
Bay Area
Well, we will never know, but anyone from IT knows that this is easily verifiable - check the logs and everything will be clear if an email was delivered, where was it delivered to, and what happened to that email since then.

If in fact an email was received but "slipped through the cracks", the person who allowed that email to "slip through the cracks" should definitely be fired. This is much larger problem that Aaron using "discounts" in his email and getting canned for that. Here, we are talking about leaving the key the the house at the front door.

I completely agree but assuming that none of us work at Tesla in their IT department it’s unclear if we can ever get the answers we want. We either have to believe Tesla or believe verygreen.....
 

mongo

Well-Known Member
May 3, 2017
16,619
62,456
Michigan
This is much larger problem that Aaron using "discounts" in his email and getting canned for that. Here, we are talking about leaving the key the the house at the front door.

That may be a bit extreme. Since the key was for the map server, it may be more akin to letting someone swap your newspaper.

Some might even appreciate 3rd party map severs with adjusted speed limits... Great, now I have Quake maps running through my head.
 
Sadly it seems like a trend that the way to grab the attention of a tech company is to tweet at them or otherwise escalate via the media. Otherwise things slip through the crack. Tesla said they didn’t get verygreen’s email. Not sure if I believe that or not

Keep in mind that Tesla lost numerous senior staff during 2017. This probably fell under the purview of at least one of them. I doubt they were motivated to do the honorable thing on the way out the door.
 

HankLloydRight

No Roads
Supporting Member
Jan 18, 2014
13,619
12,081
Connecticut
Wasnt there an incident when @wk057 found something in the firmware and posted an encrypted message on twitter at 3 am with someone at Tesla encrypting it in a matter of hours and contacted him? And that was about the new then 100D or something. I mean, how come that thing got so much attention in matter of hours and this, much more serious issue, is unanswered for MONTHS?!?!

Something is amiss

I believe he posted an easily decoded/crackable hash that almost anyone could figure out that led to the (previously un-announced) 100D logo/image. It was a thinly veiled way to release the information without actually releasing the information.

Immediately following that Tesla tried to downgrade his firmware without his permission.

(At least this is how I remember it, I might be a little off).
 

ABC2D

Active Member
Dec 19, 2016
1,207
1,734
Home
I believe he posted an easily decoded/crackable hash that almost anyone could figure out that led to the (previously un-announced) 100D logo/image. It was a thinly veiled way to release the information without actually releasing the information.

Immediately following that Tesla tried to downgrade his firmware without his permission.

(At least this is how I remember it, I might be a little off).
Yes, yes, yes! That one! I mean, the mere possibility of leaking a new product got their attention and immediate response/retaliation but this - got nothing (at least at first). Seems that they are in contact with verygreen now.
 
  • Like
Reactions: neroden

schonelucht

Well-Known Member
Mar 10, 2014
5,080
9,788
Nederland
That may be a bit extreme. Since the key was for the map server, it may be more akin to letting someone swap your newspaper.

Except that newspaper is being processed by Tesla's navigation software containing with a near 100% guarantee bugs related to processing maps in an unexpected format which means user level access on at least one device on the internal bus etc... Security is no joke.
 
  • Like
Reactions: neroden and Ulmo

BigD0g

Active Member
Jan 12, 2017
2,019
4,429
Somewhere
I believe he posted an easily decoded/crackable hash that almost anyone could figure out that led to the (previously un-announced) 100D logo/image. It was a thinly veiled way to release the information without actually releasing the information.

Immediately following that Tesla tried to downgrade his firmware without his permission.

(At least this is how I remember it, I might be a little off).

Yep, Bingo on all counts.
 

About Us

Formed in 2006, Tesla Motors Club (TMC) was the first independent online Tesla community. Today it remains the largest and most dynamic community of Tesla enthusiasts. Learn more.

Do you value your experience at TMC? Consider becoming a Supporting Member of Tesla Motors Club. As a thank you for your contribution, you'll get nearly no ads in the Community and Groups sections. Additional perks are available depending on the level of contribution. Please visit the Account Upgrades page for more details.


SUPPORT TMC
Top