TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Car Hacking Research: Remote Attack Tesla Motors by Keen Security Lab

Discussion in 'Model S' started by Lump, Sep 19, 2016.

  1. Lump

    Lump Active Member

    Joined:
    Mar 31, 2013
    Messages:
    2,112
    Location:
    So. Cal.
    #1 Lump, Sep 19, 2016
    Last edited: Sep 19, 2016


    Maybe @wk057 or @Ingineer might share a comment, they claim totally remote without physical contact.
     
    • Informative x 4
  2. Tam

    Tam Active Member

    Joined:
    Nov 25, 2012
    Messages:
    1,048
    Location:
    Visalia, CA
    It's great that we have honest remote attackers!

    Thanks for sharing the link.
     
  3. djgabriel2004

    djgabriel2004 Member

    Joined:
    Mar 24, 2016
    Messages:
    25
    Location:
    Boca raton, FL
    Nice bug!! looks real. I think Tesla Should hire this guys to test the security of the system and report Bugs so Tesla can get them fixed quickly.
     
  4. ibdb

    ibdb 3 Car Garage and a 5 Car Life

    Joined:
    Apr 29, 2015
    Messages:
    220
    Location:
    Puyallup, WA
    I don't think I saw brake lights when they remotely activated the brakes. Brake lights only came on after the car had come to a stop.

    I wonder if a fix might have been linked to the update that rolled out the last couple days as "bugfixes."
     
  5. Austral

    Austral Member

    Joined:
    Jul 4, 2016
    Messages:
    173
    Location:
    McLean
    • Like x 1
  6. Ulmo

    Ulmo Active Member

    Joined:
    Jan 19, 2016
    Messages:
    1,024
    Location:
    San Jose, California
    #6 Ulmo, Sep 19, 2016
    Last edited: Sep 19, 2016

    So, in other words:

    1. If you don't want to be hacked, and don't want to hack it yourself, upgrade to latest firmware as soon as possible.

    2. If you do want to hack your own car, immediately isolate it from the network by turning off wifi and pulling out the cell phone and bluetooth data connections, wait for this exploit description, and away you go. But! Only do this if you are super responsible and won't get anyone in danger, and have the development skills to program in your own safety protocols to fix these leaks in the future for your own hacked car (you might not catch them all and be vulnerable!). You pretty much already know what kind of research to do if this is your option, and probably already know a lot of the steps to take.

    So, pretty much almost everyone here wants to do step #1. Sorry, folks, who don't want the updated UI.

    1.5. As I pedantically sit here and proofread my message, I realize there's a 1.5 option: something in between. That is, turn off wifi and cell phone data and bluetooth (pull out those ways of communicating -- I think this is a hardware hack!), and then in that case, no one will be remotely getting into your car over established network links, unless you use an exploited charger somewhere (such as a SuperCharger, Chademo, CCS, Level 1 or 2, HPWC, any kind of charger at all, since they will all be able to talk network to the Tesla through the charge port). That way you can safely stay on your old firmware (but you always have to charge at home on a non-hacked HPWC that no one has remote hacked, or something like a 50 Amp plug that hasn't been hacked (supposedly, they could install a communicator box on the power lines near your house someplace and hack into your car like that, so maybe use only a non-networkable DC-AC inverter such as found on some solar systems to charge, although most inverters are going to be highly networked in the future (I'm in favor of networked inverters for a lot of reasons -- ugh))). Um, yes, this is a bit paranoid today, but in 5 to 10 years, not so much --- when it's commonplace and your local mobster has access to these types of exploits (or knows someone who does).
     
  7. S4WRXTTCS

    S4WRXTTCS Active Member

    Joined:
    May 3, 2015
    Messages:
    1,180
    Location:
    Snohomish, WA
    I guess we now know the purpose of the latest update that was released right before we're supposed to get 8.0

    The last time security researchers found security bugs we had an update the day before the security researches released their report.
     
  8. silentsnow31802

    Joined:
    Feb 26, 2016
    Messages:
    80
    Location:
    Napa, Ca
    I also heard the car go into park when it came to a stop. It was as if the car sensed unwanted movement and stopped itself. Same thing as if you were to get out of the car with it in drive. Wonder if it would work at speed.
     
  9. trils0n

    trils0n 2013 P85

    Joined:
    Feb 12, 2013
    Messages:
    1,298
    Location:
    SF Bay Area
    #9 trils0n, Sep 20, 2016
    Last edited: Sep 20, 2016
    Yeah, that was the parking brake sound. Wonder if they had control of the regular brakes in addition to the parking brake. I could see the parking brake thing working a number of ways (particularly fooling the seat occupancy sensor, because at low speeds it will put on the parking brake if you get out of the seat)

    Some other stuff, like sunroof and unlocking the doors can be done through the app/API. Was interesting that it appeared they could only control the mirror folding when the turn signal was on.

    EDIT: according to this article, the fix for these issues has already been deployed (2.36.31 software), and that the hack would only work through the web browser when connected to a malicious wifi network. Pretty rare, but still good Tesla fixed it.

    Car hackers demonstrate wireless attack on Tesla Model S
     
  10. cynix

    cynix Member

    Joined:
    Jul 7, 2014
    Messages:
    653
    Location:
    Sydney, Australia
    Ah. I was hoping to finally be able to gain root access to my car so that I can enable the web browser, but looks like I have a classic chicken-and-egg problem here.
     
  11. mwulff

    mwulff Member

    Joined:
    Jan 15, 2015
    Messages:
    348
    Location:
    Danmark
    It's not worth hacking the car to get the webbrowser, it really isn't that useful anyway.
     
  12. whitex

    whitex Member

    Joined:
    Sep 30, 2015
    Messages:
    587
    Location:
    Seattle area, WA
    Then the article is wrong, or more likely the author lacks imagination (and/or security expertise) and just jumped to conclusions. Since it is a web browser vulnerability, it can also be exploited by any man-in-the-middle attack, or hacking the actual web server, as long as the web browser accesses the site. So, hacking common sites like waze for tesla, or plugshare for example would yield you a treasure trove of cars to be controlled. Or maybe it's easier to hack some of the lesser popular, but still used by some Tesla's, pages like the tesla dashboards or other web pages people like to use in their Teslas. Heck, make your own site that offers some usefullness (tell people they can track their horsepower in their Tesla) and some will click the link in their cars.
     
  13. mwulff

    mwulff Member

    Joined:
    Jan 15, 2015
    Messages:
    348
    Location:
    Danmark
    Wouldn't that depend on whether the browser or the wifi stack had the vulnerability? If the browser had the vulnerability then you would be correct and the article is wrong.

    If the bug is in the wifi stack but is only exploitable through traffic from the browser (since it doesn't go over the VPN) then you need the wifi connection.
     
  14. cynix

    cynix Member

    Joined:
    Jul 7, 2014
    Messages:
    653
    Location:
    Sydney, Australia
    The web browser isn't the only thing that's disabled here. Keyfob-controlled Summon is another, more useful, example.
     
  15. whitex

    whitex Member

    Joined:
    Sep 30, 2015
    Messages:
    587
    Location:
    Seattle area, WA
    WiFi stack is not considered a part of the browser. If there was a WiFi stack exploit, very good chance it could be exploited when anything else is communicating (Nav, VPN, etc). Btw, there are more ways to exploit either without making the car connect to a rouge access point, I just don't want to post ideas for people who may not be responsible researchers ;-)
     
  16. LastGas

    LastGas Member

    Joined:
    Aug 13, 2016
    Messages:
    243
    Location:
    South Carolina
    #16 LastGas, Sep 20, 2016
    Last edited: Sep 20, 2016
    I am dismayed to find out that Tesla is not effectively hardening their systems against external attack. What I saw in this video I consider evidence of gross negligence and ineptitude on the part of Tesla. Such disregard for the safety of their customers is inexcusable. I say this not only as a customer but a stockholder.

    One traffic fatality in Florida turned into a media nightmare for Tesla, even though owners mostly understand the limits of technology. Imagine what would happen if a Tesla got hacked on the highway and suddenly stopped on a major highway, causing a 100-car pile up.

    That could prove fatal for both customers and the company.
     
    • Dislike x 13
  17. mwulff

    mwulff Member

    Joined:
    Jan 15, 2015
    Messages:
    348
    Location:
    Danmark
    I think Tesla has done everything they should. No computer system is 100% secure and safe (at least a connected system). Tesla did due diligence, worked with security researchers, fixed the bug, deployed the patch to customers before the exploit was known to the public.

    These are not the actions of a company that disregards the safety of their customers. These are the actions of a responsible company that cares about their customers.

    If you wish to accuse someone of gross negligence with regards to computer security I would suggest looking at Jeep and Toyota. Tesla has built a remarkably safe and resilient system into it's cars and patches these systems promptly to protect customers.

    Where is the negligence in that?
     
    • Like x 1
  18. LastGas

    LastGas Member

    Joined:
    Aug 13, 2016
    Messages:
    243
    Location:
    South Carolina
    #18 LastGas, Sep 20, 2016
    Last edited: Sep 20, 2016
    Do you think this security company actually discovered a new vulnerability? The chances are next to nil that they came up with a zero-day exploit against the Linux TCP/IP stack, and that means that Tesla almost certainly deployed an unpatched version of Linux to run the MCU with a known vulnerability. Doing that is inexcusable for a mission-critical, life-and-death software application such as the Tesla control system.

    Commenters are urging Tesla owners to update to the latest firmware, and this is sound advice. Tesla should be applying the latest Linux patches with the same diligence.

    I don't buy the argument that computer systems aren't 100% safe, so it's excusable that they get hacked. It is NOT OK. Tesla is deploying a system that holds the lives of its customers in its hands, and it is never OK for it to fail.

    Enthusiast communities rush to defend whatever they are enthusiastic about, and I was disheartened, but not surprised, for there to be no criticism of Tesla in the first dozen comments on this story. I suggest that folks try to get past their biases and appreciate this event for what it is, and what it tells us about Tesla's failure to use best practices in its software.
     
    • Like x 1
  19. LastGas

    LastGas Member

    Joined:
    Aug 13, 2016
    Messages:
    243
    Location:
    South Carolina
    The hack was to the MCU, which has a button to apply the parking brake. Regular braking wouldn't have been accessible to the MCU (I don't think).
     
  20. LastGas

    LastGas Member

    Joined:
    Aug 13, 2016
    Messages:
    243
    Location:
    South Carolina
    I think for this exploit to work, the car must have been connected to a Wi-Fi network controlled by the intruder. Then when the search was entered by the user, it was intercepted by the intruder's network and a malformed response returned that broke the TCP/IP stack, overflowed a buffer and allowed the intruder to insert code and take over the MCU, which has settings for the mirrors, parking brake, horn, lights, etc.

    That suggests that Tesla owners should be cautious about what Wi-FI networks they connect their cars to and perhaps it would be prudent to only connect to their own private networks.
     

Share This Page