Welcome to Tesla Motors Club
Discuss Tesla's Model S, Model 3, Model X, Model Y, Cybertruck, Roadster and More.
Register

Be careful where you let your car ride on wifi in the coming weeks

This site may earn commission on affiliate links.
#45
verygreen said:
Having this key file would allow nefarious people to create their own "maps server" to serve their own map "updates" to your car.
Click to expand...

verygreen said:
Of course they could only do this if they are somehow positioned between your car and internet in most cases (they are other vectors, but they are harder to perform), hence the warning.
Click to expand...

Thankfully this got fixed. I was worried someone would get between my car and internet and redraw my maps and I'd get lost... ;)

Please don't get me wrong, it's very impressive work -- and way over my head. I just wish this knowledge was being used to protect us from Russian hacking, ISIS attacks, etc. instead of my Tesla's maps. Hopefully that's being done too but when I hear someone can email the Clinton campaign and say a password change is needed, and it gets cleared by the IT guy, and that leads to the theft of thousands of emails, perhaps changing the election, I just can't help but roll my eyes at something like this -- and that people are surprised there's a hole and Tesla won't plug it. I'm surprised when anything is locked down properly when systems are so easily compromised. There's online prank call shows where they call major businesses, etc. say they're from the corporate office, IT dept, been transferred from collections, etc. and they often easily gain access to their computers and all information including passwords. Fortunately, they only use it for prank calls.
 
  • Disagree
Reactions: scottf200 and kavyboy
#47
Sorry for the off topic

Canuck said:
Hopefully that's being done too but when I hear someone can email the Clinton campaign and say a password change is needed, and it gets cleared by the IT guy
Click to expand...

The IT guy flagged it as phishing but had a typo in his response (which still wouldn't matter if the assistant had used the correct web site for a password change vs clicking on email link)
article
 
  • Informative
Reactions: neroden and GoTslaGo
#48
mongo said:
The IT guy flagged it as phishing but had a typo in his response (which still wouldn't matter if the assistant had used the correct web site for a password change vs clicking on email link)
Click to expand...

Thanks for the clarification but I don't see it as changing my point. He asked and did what IT told him - how it happened is relevant to those who need to close holes but not to my point. The entire system is flawed and Russia has moved away from spending money on weapons to spending money on hacking and influence with phony websites that generate phony news to sway opinions. But not to worry, Trump's in control and he wants to increase spending on weapons and said some guy in his basement could have hacked Clinton's email just as easily as the Russians -- or something like that -- I'm sure my recollection is somewhat wrong there too. But my point is that is where my concern lies -- not with someone hacking my maps. But I do appreciate and admire the OP and his skills and in getting the hole closed. My hat is off to him. No move on to the Russians please... ;)
 
#49
Canuck said:
Thanks for the clarification but I don't see it as changing my point. He asked and did what IT told him - how it happened is relevant to those who need to close holes but not to my point. The entire system is flawed and Russia has moved away from spending money on weapons to spending money on hacking and influence with phony websites that generate phony news to sway opinions. But not to worry, Trump's in control and he wants to increase spending on weapons and said some guy in his basement could have hacked Clinton's email just as easily as the Russians -- or something like that -- I'm sure my recollection is somewhat wrong there too. But my point is that is where my concern lies -- not with someone hacking my maps. But I do appreciate and admire the OP and his skills and in getting the hole closed. My hat is off to him. No move on to the Russians please... ;)
Click to expand...
Товарищ, без паники! Всё под контролем Партии и Правительства.




;)
 
  • Funny
  • Love
Reactions: Siggy101, BigD0g, Rouget and 4 others
#52
verygreen said:
It looks like as map updates are being prepared for early next year (in Europe and probably in US), people should be extra careful about their wifi and cell providers.

I tried to let Tesla know about some holes in their maps infrastructure, but they never replied to me, so I guess they don't care as much, even though they did close some of the holes outlined.

The problem is while the holes were there, the secret key for the maps server was publically accessible for almost a year, so who knows how many people downloaded that.
Having this key file would allow nefarious people to create their own "maps server" to serve their own map "updates" to your car.
This is further compounded by the fact that Tesla never lets you know when a maps update is being downloaded to your car, you just gt a notification once it's done, but it's too late by then.

Of course they could only do this if they are somehow positioned between your car and internet in most cases (they are other vectors, but they are harder to perform), hence the warning.
And if we are lucky Tesla would finally do something about replacing the key and will protect it better next time too.

It's been over 60 days since my last attempt to draw Tesla attention to the matter (over 300 days of the key accessibility), so I feel like holding on to this information is more dangerous than letting it go into the open.

Code: 
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAxJIHhFmvyALnYHAGLrpkU6oUoCEizVPu+klDo9MGss8x9Uxw
JfOlTa40L78cDGA3kb79vgJTMkkKMnh0Xy27rXGkUpLaHttNJ/9P8k8z13MPQ8Ml
hFuF2/fe0ofDuBKJ/oFBPAFTB7WpzJ/SwGHzIJxTMOBBThkLzKDaRp26bvBX81p7
Uds1uuFDlz022C1Hn+rEtrBylHY+OpD2NEJ/Alo4IwOmhxKuAz7B3DDrXJZYrldb
IRhwE3/rjrnlx4diaucaQBxDONDy1rEQBzOqfgJmCO7vSK5WCkiMsOviezFkCuwl
zE3PBhgVqC5UxOR5PC2phQIJpf5nJx7TkFhgpwIDAQABAoIBAQCjZCqhZZdKbrd6
nsNU1hQMwyQv0jtGZw0OuBVkOEWqHbWOC0JxGWv+/N1eDsG2u8eU+yeZZ/9Vnga+
2wcIElCdJAgNpwlteqZQp9UBObqCzJ4UmkI2GYlTxV5OqxERkT9o8HGT+hnVH7iL
IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk
GBOxiVEEu0jKUj65Z2JfPXctQ0hpefrs03HRztjNchyHY2hUNafbIS2mhTgwkZlP
UgrwjHzFJW3NuJvHILLTp20yJwMd5rQtf2Pr/iA47BFFj9ER9JD/0xLU4hr/z8cn
OHVHfFQhAoGBAOPC9XOdTYew+H+IVp+ivyDyi4XkqdwTTNgoy0j2ypIYuiS/oqJ+
R8cD34rySHqurlVk5K6zEVpTU1SJOsX06psOS92/BjiR+RmZxODPKIBpBs/LKX00
/IUbmF9/z+L7Ipg2kdul/Kw4fuLRrbbDxnKOWRP6N9MoPN51gSARlsy3AoGBANzx
FEi20qIOdjHM0TGala5QFeIZ9Il0YOSqDjyLqDbCQJTW/leYmTimxSgd1sM06K7W
6/eBm2GUMV/BDzkzhz23nDSYuFKg+Es47l+GqG2s2jnefl6W+ZJQ3Lt2q0DejK72
/niB6uA8YEh/yxXvKGqrzMexwyjb0MsH1UYhgfuRAoGBAJPIwLMP8mqFLfiyYmKa
myGpv1ZVlNGzxDzN23mwiKhbWwzVO5XsEm7T2IyzwMu55GyMVsX0cuIFByDnGjew
Pzn1AM0VUdgK/3LZD6I/SKxpeX4C+RzA8Mj9qtTsfdtt0Hirj+DRxy2ISuyp2Omq
Bm32Z15LEUX16ej+nZZNU2fpAoGBAMRN+tzEe497U+7ZcUEmfTl8dIUI1KnQWkqx
IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk
IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk
IamleavingthislineredactedfornowbutyoucanbesureIdohaveitonmydisk
Oa5pPx0TLOLBbDhG8HiPON6YFyfE1nhQjkGVPjPK3OJE+BPDRajlLhnmcZCcOJao
56bZipI3CbgTi9O7C8XWFlZB6TyGTb+q6uFH3Wwv4TzqvegC7NwZ2xc=
-----END RSA PRIVATE KEY-----

Posted in the main Tesla thread since hopefully both X and S owners read it and I don't need to have several threads to monitor.
Click to expand...
Model 3 has new maps. Do you know if they are the ones you are talking about?
 
#53
Blissedout said:
Model 3 has new maps. Do you know if they are the ones you are talking about?
Click to expand...
No. these are standard Navigon maps. Just updated. But "Tesla Maps" (what you call Model 3 maps) could be distributed in the exactly same way and are in Middle East and Taiwan. It's just different regions get different map data providers.
North America will probably switch to Tesla Maps eventually too, since Model 3 uses them, but I don't know when.

edit: if you saw my previous reply to that - that was just a mistake in the topic.
 
#55
Canuck said:
Thankfully this got fixed. I was worried someone would get between my car and internet and redraw my maps and I'd get lost... ;)

Please don't get me wrong, it's very impressive work -- and way over my head. I just wish this knowledge was being used to protect us from Russian hacking, ISIS attacks, etc. instead of my Tesla's maps. Hopefully that's being done too but when I hear someone can email the Clinton campaign and say a password change is needed, and it gets cleared by the IT guy, and that leads to the theft of thousands of emails, perhaps changing the election, I just can't help but roll my eyes at something like this -- and that people are surprised there's a hole and Tesla won't plug it. I'm surprised when anything is locked down properly when systems are so easily compromised. There's online prank call shows where they call major businesses, etc. say they're from the corporate office, IT dept, been transferred from collections, etc. and they often easily gain access to their computers and all information including passwords. Fortunately, they only use it for prank calls.
Click to expand...

You joke, but it wouldnt be so funny if someone made nefarious maps that made your car suddenly think the speed limit was 20mph while using autopilot going 65 on the freeway.
 
#56
MarcusMaximus said:
You joke, but it wouldnt be so funny if someone made nefarious maps that made your car suddenly think the speed limit was 20mph while using autopilot going 65 on the freeway.
Click to expand...

No, it wouldn't be funny, it would be a miracle since my car doesn't have AP.

But if someone wants to kill me, I highly doubt that is how they will do it so it doesn't concern me at all.
 
  • Disagree
Reactions: NerdUno
#57
@Canuck I guess the bigger fear was being able to execute foreign code through map update, if the map update has a security flaw. I.e. installing malware on the Model S/X computer network.

Someone doesn't have to want to kill you exactly. Someone might want to wreck havoc in all Teslas, not at all an unlikely desire IMO. People do a lot of crazy stuff for fame...
 
  • Like
Reactions: NerdUno
#58
AnxietyRanger said:
@Canuck I guess the bigger fear was being able to execute foreign code through map update, if the map update has a security flaw. I.e. installing malware on the Model S/X computer network.

Someone doesn't have to want to kill you exactly. Someone might want to wreck havoc in all Teslas, not at all an unlikely desire IMO. People do a lot of crazy stuff for fame...
Click to expand...

Exactly. If you bothered to protect it with cryptographic verification that likely reflects that engineering assumptions were made along the lines of “nahhh we don’t need to further validate this because the map updates are signed anyway”


Plus the thing that bothers me is that if they left a private key up for a year, what other security oversights could exist in that culture/atmosphere?
 
  • Helpful
  • Like
Reactions: NerdUno and AnxietyRanger
#59
chillaban said:
Exactly. If you bothered to protect it with cryptographic verification that likely reflects that engineering assumptions were made along the lines of “nahhh we don’t need to further validate this because the map updates are signed anyway”


Plus the thing that bothers me is that if they left a private key up for a year, what other security oversights could exist in that culture/atmosphere?
Click to expand...

shhh, stop looking behind the curtain everything is fine!
 
  • Funny
Reactions: NerdUno
You must log in or register to reply here.
Top
Back
Blog
New
Forum list
Marketplace
Menu