You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
Ok, so Tesla fixed the issue just before midnight (California time) and I can confirm it as fixed too.
Ok, so Tesla fixed the issue just before midnight (California time) and I can confirm it as fixed too.
Having this key file would allow nefarious people to create their own "maps server" to serve their own map "updates" to your car.
Of course they could only do this if they are somehow positioned between your car and internet in most cases (they are other vectors, but they are harder to perform), hence the warning.
Ignorance is bliss....Fortunately, they only use it for prank calls.
Hopefully that's being done too but when I hear someone can email the Clinton campaign and say a password change is needed, and it gets cleared by the IT guy
The IT guy flagged it as phishing but had a typo in his response (which still wouldn't matter if the assistant had used the correct web site for a password change vs clicking on email link)
Товарищ, без паники! Всё под контролем Партии и Правительства.Thanks for the clarification but I don't see it as changing my point. He asked and did what IT told him - how it happened is relevant to those who need to close holes but not to my point. The entire system is flawed and Russia has moved away from spending money on weapons to spending money on hacking and influence with phony websites that generate phony news to sway opinions. But not to worry, Trump's in control and he wants to increase spending on weapons and said some guy in his basement could have hacked Clinton's email just as easily as the Russians -- or something like that -- I'm sure my recollection is somewhat wrong there too. But my point is that is where my concern lies -- not with someone hacking my maps. But I do appreciate and admire the OP and his skills and in getting the hole closed. My hat is off to him. No move on to the Russians please...
Товарищ, без паники! Всё под контролем Партии и Правительства.
Tesla runs a bug bounty program. Tesla’s bug bounty program | Powered by Bugcrowd . If genuine, that's where it should be reported.
Model 3 has new maps. Do you know if they are the ones you are talking about?It looks like as map updates are being prepared for early next year (in Europe and probably in US), people should be extra careful about their wifi and cell providers.
I tried to let Tesla know about some holes in their maps infrastructure, but they never replied to me, so I guess they don't care as much, even though they did close some of the holes outlined.
The problem is while the holes were there, the secret key for the maps server was publically accessible for almost a year, so who knows how many people downloaded that.
Having this key file would allow nefarious people to create their own "maps server" to serve their own map "updates" to your car.
This is further compounded by the fact that Tesla never lets you know when a maps update is being downloaded to your car, you just gt a notification once it's done, but it's too late by then.
Of course they could only do this if they are somehow positioned between your car and internet in most cases (they are other vectors, but they are harder to perform), hence the warning.
And if we are lucky Tesla would finally do something about replacing the key and will protect it better next time too.
It's been over 60 days since my last attempt to draw Tesla attention to the matter (over 300 days of the key accessibility), so I feel like holding on to this information is more dangerous than letting it go into the open.
Code:-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEAxJIHhFmvyALnYHAGLrpkU6oUoCEizVPu+klDo9MGss8x9Uxw JfOlTa40L78cDGA3kb79vgJTMkkKMnh0Xy27rXGkUpLaHttNJ/9P8k8z13MPQ8Ml hFuF2/fe0ofDuBKJ/oFBPAFTB7WpzJ/SwGHzIJxTMOBBThkLzKDaRp26bvBX81p7 Uds1uuFDlz022C1Hn+rEtrBylHY+OpD2NEJ/Alo4IwOmhxKuAz7B3DDrXJZYrldb IRhwE3/rjrnlx4diaucaQBxDONDy1rEQBzOqfgJmCO7vSK5WCkiMsOviezFkCuwl zE3PBhgVqC5UxOR5PC2phQIJpf5nJx7TkFhgpwIDAQABAoIBAQCjZCqhZZdKbrd6 nsNU1hQMwyQv0jtGZw0OuBVkOEWqHbWOC0JxGWv+/N1eDsG2u8eU+yeZZ/9Vnga+ 2wcIElCdJAgNpwlteqZQp9UBObqCzJ4UmkI2GYlTxV5OqxERkT9o8HGT+hnVH7iL IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk GBOxiVEEu0jKUj65Z2JfPXctQ0hpefrs03HRztjNchyHY2hUNafbIS2mhTgwkZlP UgrwjHzFJW3NuJvHILLTp20yJwMd5rQtf2Pr/iA47BFFj9ER9JD/0xLU4hr/z8cn OHVHfFQhAoGBAOPC9XOdTYew+H+IVp+ivyDyi4XkqdwTTNgoy0j2ypIYuiS/oqJ+ R8cD34rySHqurlVk5K6zEVpTU1SJOsX06psOS92/BjiR+RmZxODPKIBpBs/LKX00 /IUbmF9/z+L7Ipg2kdul/Kw4fuLRrbbDxnKOWRP6N9MoPN51gSARlsy3AoGBANzx FEi20qIOdjHM0TGala5QFeIZ9Il0YOSqDjyLqDbCQJTW/leYmTimxSgd1sM06K7W 6/eBm2GUMV/BDzkzhz23nDSYuFKg+Es47l+GqG2s2jnefl6W+ZJQ3Lt2q0DejK72 /niB6uA8YEh/yxXvKGqrzMexwyjb0MsH1UYhgfuRAoGBAJPIwLMP8mqFLfiyYmKa myGpv1ZVlNGzxDzN23mwiKhbWwzVO5XsEm7T2IyzwMu55GyMVsX0cuIFByDnGjew Pzn1AM0VUdgK/3LZD6I/SKxpeX4C+RzA8Mj9qtTsfdtt0Hirj+DRxy2ISuyp2Omq Bm32Z15LEUX16ej+nZZNU2fpAoGBAMRN+tzEe497U+7ZcUEmfTl8dIUI1KnQWkqx IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk Oa5pPx0TLOLBbDhG8HiPON6YFyfE1nhQjkGVPjPK3OJE+BPDRajlLhnmcZCcOJao 56bZipI3CbgTi9O7C8XWFlZB6TyGTb+q6uFH3Wwv4TzqvegC7NwZ2xc= -----END RSA PRIVATE KEY-----
Posted in the main Tesla thread since hopefully both X and S owners read it and I don't need to have several threads to monitor.
No. these are standard Navigon maps. Just updated. But "Tesla Maps" (what you call Model 3 maps) could be distributed in the exactly same way and are in Middle East and Taiwan. It's just different regions get different map data providers.Model 3 has new maps. Do you know if they are the ones you are talking about?
Thankfully this got fixed. I was worried someone would get between my car and internet and redraw my maps and I'd get lost...
Please don't get me wrong, it's very impressive work -- and way over my head. I just wish this knowledge was being used to protect us from Russian hacking, ISIS attacks, etc. instead of my Tesla's maps. Hopefully that's being done too but when I hear someone can email the Clinton campaign and say a password change is needed, and it gets cleared by the IT guy, and that leads to the theft of thousands of emails, perhaps changing the election, I just can't help but roll my eyes at something like this -- and that people are surprised there's a hole and Tesla won't plug it. I'm surprised when anything is locked down properly when systems are so easily compromised. There's online prank call shows where they call major businesses, etc. say they're from the corporate office, IT dept, been transferred from collections, etc. and they often easily gain access to their computers and all information including passwords. Fortunately, they only use it for prank calls.
You joke, but it wouldnt be so funny if someone made nefarious maps that made your car suddenly think the speed limit was 20mph while using autopilot going 65 on the freeway.
@Canuck I guess the bigger fear was being able to execute foreign code through map update, if the map update has a security flaw. I.e. installing malware on the Model S/X computer network.
Someone doesn't have to want to kill you exactly. Someone might want to wreck havoc in all Teslas, not at all an unlikely desire IMO. People do a lot of crazy stuff for fame...
Exactly. If you bothered to protect it with cryptographic verification that likely reflects that engineering assumptions were made along the lines of “nahhh we don’t need to further validate this because the map updates are signed anyway”
Plus the thing that bothers me is that if they left a private key up for a year, what other security oversights could exist in that culture/atmosphere?