-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Tam
Well-Known Member
djgabriel2004
Member
Nice bug!! looks real. I think Tesla Should hire this guys to test the security of the system and report Bugs so Tesla can get them fixed quickly.
ibdb
Any excuse for a road trip
I don't think I saw brake lights when they remotely activated the brakes. Brake lights only came on after the car had come to a stop.
I wonder if a fix might have been linked to the update that rolled out the last couple days as "bugfixes."
I wonder if a fix might have been linked to the update that rolled out the last couple days as "bugfixes."
Ulmo
Active Member
KEENLAB @keen_lab
@0xcharlie @nudehaberdasher p2o=pwn2own for the 140-char limit. We plan to publish the details after the fix is pushed to Tesla owners.
8:00 PM - 19 Sep 2016
- Retweet 1
- Likes 6
1 retweet 6 likes
So, in other words:
1. If you don't want to be hacked, and don't want to hack it yourself, upgrade to latest firmware as soon as possible.
2. If you do want to hack your own car, immediately isolate it from the network by turning off wifi and pulling out the cell phone and bluetooth data connections, wait for this exploit description, and away you go. But! Only do this if you are super responsible and won't get anyone in danger, and have the development skills to program in your own safety protocols to fix these leaks in the future for your own hacked car (you might not catch them all and be vulnerable!). You pretty much already know what kind of research to do if this is your option, and probably already know a lot of the steps to take.
So, pretty much almost everyone here wants to do step #1. Sorry, folks, who don't want the updated UI.
1.5. As I pedantically sit here and proofread my message, I realize there's a 1.5 option: something in between. That is, turn off wifi and cell phone data and bluetooth (pull out those ways of communicating -- I think this is a hardware hack!), and then in that case, no one will be remotely getting into your car over established network links, unless you use an exploited charger somewhere (such as a SuperCharger, Chademo, CCS, Level 1 or 2, HPWC, any kind of charger at all, since they will all be able to talk network to the Tesla through the charge port). That way you can safely stay on your old firmware (but you always have to charge at home on a non-hacked HPWC that no one has remote hacked, or something like a 50 Amp plug that hasn't been hacked (supposedly, they could install a communicator box on the power lines near your house someplace and hack into your car like that, so maybe use only a non-networkable DC-AC inverter such as found on some solar systems to charge, although most inverters are going to be highly networked in the future (I'm in favor of networked inverters for a lot of reasons -- ugh))). Um, yes, this is a bit paranoid today, but in 5 to 10 years, not so much --- when it's commonplace and your local mobster has access to these types of exploits (or knows someone who does).
Last edited:
silentsnow31802
Member
I also heard the car go into park when it came to a stop. It was as if the car sensed unwanted movement and stopped itself. Same thing as if you were to get out of the car with it in drive. Wonder if it would work at speed.
Yeah, that was the parking brake sound. Wonder if they had control of the regular brakes in addition to the parking brake. I could see the parking brake thing working a number of ways (particularly fooling the seat occupancy sensor, because at low speeds it will put on the parking brake if you get out of the seat)
Some other stuff, like sunroof and unlocking the doors can be done through the app/API. Was interesting that it appeared they could only control the mirror folding when the turn signal was on.
EDIT: according to this article, the fix for these issues has already been deployed (2.36.31 software), and that the hack would only work through the web browser when connected to a malicious wifi network. Pretty rare, but still good Tesla fixed it.
Car hackers demonstrate wireless attack on Tesla Model S
Last edited:
Ah. I was hoping to finally be able to gain root access to my car so that I can enable the web browser, but looks like I have a classic chicken-and-egg problem here.
whitex
Well-Known Member
Then the article is wrong, or more likely the author lacks imagination (and/or security expertise) and just jumped to conclusions. Since it is a web browser vulnerability, it can also be exploited by any man-in-the-middle attack, or hacking the actual web server, as long as the web browser accesses the site. So, hacking common sites like waze for tesla, or plugshare for example would yield you a treasure trove of cars to be controlled. Or maybe it's easier to hack some of the lesser popular, but still used by some Tesla's, pages like the tesla dashboards or other web pages people like to use in their Teslas. Heck, make your own site that offers some usefullness (tell people they can track their horsepower in their Tesla) and some will click the link in their cars.
Wouldn't that depend on whether the browser or the wifi stack had the vulnerability? If the browser had the vulnerability then you would be correct and the article is wrong.
If the bug is in the wifi stack but is only exploitable through traffic from the browser (since it doesn't go over the VPN) then you need the wifi connection.
If the bug is in the wifi stack but is only exploitable through traffic from the browser (since it doesn't go over the VPN) then you need the wifi connection.
The web browser isn't the only thing that's disabled here. Keyfob-controlled Summon is another, more useful, example.
whitex
Well-Known Member
WiFi stack is not considered a part of the browser. If there was a WiFi stack exploit, very good chance it could be exploited when anything else is communicating (Nav, VPN, etc). Btw, there are more ways to exploit either without making the car connect to a rouge access point, I just don't want to post ideas for people who may not be responsible researchers ;-)
I am dismayed to find out that Tesla is not effectively hardening their systems against external attack. What I saw in this video I consider evidence of gross negligence and ineptitude on the part of Tesla. Such disregard for the safety of their customers is inexcusable. I say this not only as a customer but a stockholder.
One traffic fatality in Florida turned into a media nightmare for Tesla, even though owners mostly understand the limits of technology. Imagine what would happen if a Tesla got hacked on the highway and suddenly stopped on a major highway, causing a 100-car pile up.
That could prove fatal for both customers and the company.
One traffic fatality in Florida turned into a media nightmare for Tesla, even though owners mostly understand the limits of technology. Imagine what would happen if a Tesla got hacked on the highway and suddenly stopped on a major highway, causing a 100-car pile up.
That could prove fatal for both customers and the company.
Last edited:
I think Tesla has done everything they should. No computer system is 100% secure and safe (at least a connected system). Tesla did due diligence, worked with security researchers, fixed the bug, deployed the patch to customers before the exploit was known to the public.
These are not the actions of a company that disregards the safety of their customers. These are the actions of a responsible company that cares about their customers.
If you wish to accuse someone of gross negligence with regards to computer security I would suggest looking at Jeep and Toyota. Tesla has built a remarkably safe and resilient system into it's cars and patches these systems promptly to protect customers.
Where is the negligence in that?
These are not the actions of a company that disregards the safety of their customers. These are the actions of a responsible company that cares about their customers.
If you wish to accuse someone of gross negligence with regards to computer security I would suggest looking at Jeep and Toyota. Tesla has built a remarkably safe and resilient system into it's cars and patches these systems promptly to protect customers.
Where is the negligence in that?
Do you think this security company actually discovered a new vulnerability? The chances are next to nil that they came up with a zero-day exploit against the Linux TCP/IP stack, and that means that Tesla almost certainly deployed an unpatched version of Linux to run the MCU with a known vulnerability. Doing that is inexcusable for a mission-critical, life-and-death software application such as the Tesla control system.
Commenters are urging Tesla owners to update to the latest firmware, and this is sound advice. Tesla should be applying the latest Linux patches with the same diligence.
I don't buy the argument that computer systems aren't 100% safe, so it's excusable that they get hacked. It is NOT OK. Tesla is deploying a system that holds the lives of its customers in its hands, and it is never OK for it to fail.
Enthusiast communities rush to defend whatever they are enthusiastic about, and I was disheartened, but not surprised, for there to be no criticism of Tesla in the first dozen comments on this story. I suggest that folks try to get past their biases and appreciate this event for what it is, and what it tells us about Tesla's failure to use best practices in its software.
Last edited:
I think for this exploit to work, the car must have been connected to a Wi-Fi network controlled by the intruder. Then when the search was entered by the user, it was intercepted by the intruder's network and a malformed response returned that broke the TCP/IP stack, overflowed a buffer and allowed the intruder to insert code and take over the MCU, which has settings for the mirrors, parking brake, horn, lights, etc.
That suggests that Tesla owners should be cautious about what Wi-FI networks they connect their cars to and perhaps it would be prudent to only connect to their own private networks.
That suggests that Tesla owners should be cautious about what Wi-FI networks they connect their cars to and perhaps it would be prudent to only connect to their own private networks.
