Car Hacking Research: Remote Attack Tesla Motors by Keen Security Lab

[LastGas]

The latest is a good news/bad news story. The bad news is that Tesla wasn't using code signing to distribute software, something that is pretty much standard in the industry. They knew they should be doing it, but they were dragging their feet. The second thing, it appears, is that they shipped a version of Linux with a security patch needed that they hadn't distributed, and they distributed a web browser, but not the patch to fix a security flaw in it.

The good news is that now Tesla signs its code, and they have been burned. Once burned, they should be less likely to repeat this particular mistake.

 

[green1]

Code signing would not have made any difference, and in fact it is NOT a security measure.

Signing code prevents owners from installing unapproved firmware, it does NOT prevent hackers from gaining access and doing things you don't want them to do.

Code signing is good for big companies, but it is ALWAYS bad for end users.

 

[MP3Mike]

Code signing would not have made any difference, and in fact it is NOT a security measure.

Signing code prevents owners from installing unapproved firmware, it does NOT prevent hackers from gaining access and doing things you don't want them to do.

Code signing is good for big companies, but it is ALWAYS bad for end users.

It doesn't only prevent owners from installing unapproved firmware, it prevents anyone from installing unapproved firmware. That is a security measure.

In this case the hack involved them installing unapproved firmware, by using another vulnerability, on a component on the CANBUS to do what they did. So the code signing requirement would have prevented a good portion of their attack. (But not 100% of it.)

 

[green1]

It doesn't only prevent owners from installing unapproved firmware, it prevents anyone from installing unapproved firmware. That is a security measure.

In this case the hack involved them installing unapproved firmware, by using another vulnerability, on a component on the CANBUS to do what they did. So the code signing requirement would have prevented a good portion of their attack. (But not 100% of it.)

[citation needed]
There is no indication at all that they installed any firmware at all. As such there's no reason to believe that signed code would have made any difference.

 

[msnow]

You can't get a restraining order to keep your ex girlfriend 500' away from your work or home unless you can prove there's a reasonable risk that she'll do something illegal such as assault you.

A restraining order is meant to prevent an anticipated illegal action. There is nothing illegal being threatened.

Not here. If I threaten you, the court can/may restrain me legally but temporarily. Don't worry, I'm harmless. BTW as strange as this seems, hacking is illegal in China (no legal citations but I just Googled it).

 

[green1]

Not here. If I threaten you, the court can/may restrain me legally but temporarily. Don't worry, I'm harmless. BTW as strange as this seems, hacking is illegal in China (no legal citations but I just Googled it).

yeah, the key word being threaten, as in to threaten to do harm, where harm would likely be an illegal act such as assault. You'd find that if you go to court asking for a restraining order, and tell them that it's because you don't like the colour of the shirts I wear, they wouldn't find that to be a valid reason for the order and would deny it. The only difference is that in one case there's a reasonable expectation that an illegal act could occur, and in the other there is none.

So in relation to this particular incident, releasing the details of this would not be illegal.

As for china and hacking laws. I think you better read up on that, because if they owned the vehicles, then they haven't actually done any "hacking" according to most legal definitions, especially being that Tesla has a) not required buyers to sign anything limiting their rights to the software, and b) explicitly given permission to do so on multiple occasions.
And if in fact what they did was illegal (which it is not) then whether or not they released the information would be immaterial, and they'd have to answer for the crime already committed.

 

[MP3Mike]

[citation needed]
There is no indication at all that they installed any firmware at all. As such there's no reason to believe that signed code would have made any difference.

Well according to a Wired article they did. Post #154 had a link to the article. That has this quote in it: "The Tencent hackers then used another vulnerability in the Tesla’s Linux operating system to gain full privileges on the car’s head unit, the computer in its dashboard. But even then the group couldn’t send commands to critical driving functions like steering and brakes: The Tesla S’ head unit is separated from its CAN bus by a computer Tesla calls a gateway, which only allows certain commands to be sent from the car’s infotainment system to its driving components. To defeat that safeguard, the hackers simply overwrote the gateway’s firmware with their own. Without code signing, nothing prevents that tactic."

 

[msnow]

[citation needed]
There is no indication at all that they installed any firmware at all. As such there's no reason to believe that signed code would have made any difference.

Tesla Responds to Chinese Hack With a Major Security Upgrade

"The Tencent hackers then used another vulnerability in the Tesla’s Linux operating system to gain full privileges on the car’s head unit, the computer in its dashboard. But even then the group couldn’t send commands to critical driving functions like steering and brakes: The Tesla S’ head unit is separated from its CAN bus by a computer Tesla calls a gateway, which only allows certain commands to be sent from the car’s infotainment system to its driving components. To defeat that safeguard, the hackers simply overwrote the gateway’s firmware with their own. Without code signing, nothing prevents that tactic."

Edit: Sorry for the duplication, just saw Mike posted this too.

 

[green1]

Well according to a Wired article they did. Post #154 had a link to the article. That has this quote in it: "The Tencent hackers then used another vulnerability in the Tesla’s Linux operating system to gain full privileges on the car’s head unit, the computer in its dashboard. But even then the group couldn’t send commands to critical driving functions like steering and brakes: The Tesla S’ head unit is separated from its CAN bus by a computer Tesla calls a gateway, which only allows certain commands to be sent from the car’s infotainment system to its driving components. To defeat that safeguard, the hackers simply overwrote the gateway’s firmware with their own. Without code signing, nothing prevents that tactic."

I question that, as nothing in the information released by Keenlabs in any way indicates that this was done. first of all there's no indication that they controlled steering, only brakes, and that at slow speed where it could easily have been the parking brake which is accessible from the CID.
In fact, many of the things they did (most? all?) could in fact be done without root access even, they'd only need network access to use the existing API onboard.
I suspect that the article is poorly written.

I agree fully that remote exploits should be patched.

However increased lockdown only helps their PR department, it hurts end users.

 

[msnow]

yeah, the key word being threaten, as in to threaten to do harm, where harm would likely be an illegal act such as assault. You'd find that if you go to court asking for a restraining order, and tell them that it's because you don't like the colour of the shirts I wear, they wouldn't find that to be a valid reason for the order and would deny it. The only difference is that in one case there's a reasonable expectation that an illegal act could occur, and in the other there is none.

So in relation to this particular incident, releasing the details of this would not be illegal.

As for china and hacking laws. I think you better read up on that, because if they owned the vehicles, then they haven't actually done any "hacking" according to most legal definitions, especially being that Tesla has a) not required buyers to sign anything limiting their rights to the software, and b) explicitly given permission to do so on multiple occasions.
And if in fact what they did was illegal (which it is not) then whether or not they released the information would be immaterial, and they'd have to answer for the crime already committed.

Greene1 neither of us are lawyers but I have personally seen restraining orders from patent trolls to companies they believe are using their code under the theory that they *could* be damaged by the continuation of selling the sofrware in question. That's just one example, but the point is you don't have to prove you *will* be harmed just that you *could* be harmed.

 

[MP3Mike]

I question that, as nothing in the information released by Keenlabs in any way indicates that this was done.
I suspect that the article is poorly written.

The article seem to very clearly call out how the hack went down, and they said that the Tencent hackers emailed them with those details. I guess we won't know for sure until they actually release the details publicly, but since Tesla said that the code signing was partly to prevent this attack I trust that they weren't lying.

I guess you should make sure that you don't connect to any non-trusted WiFi APs or surf to any sites that could be hacked from the browser in your car. (Since you have said you won't install 7.1 or 8.0 so your car is vulnerable to being taken over.)

 

[green1]

I guess you should make sure that you don't connect to any non-trusted WiFi APs or surf to any sites that could be hacked from the browser in your car. (Since you have said you won't install 7.1 or 8.0 so your car is vulnerable to being taken over.)

don't worry, Tesla already fixed this vulnerability a very long time ago. They made a web browser with such a poor experience that there was no risk anyone would actually use it!

 

[green1]

Greene1 neither of us are lawyers but I have personally seen restraining orders from patent trolls to companies they believe are using their code under the theory that they *could* be damaged by the continuation of selling the sofrware in question. That's just one example, but the point is you don't have to prove you *will* be harmed just that you *could* be harmed.

You're missing the legality point AGAIN. Patent infringement is against the law, hence the ability to get a restraining order to prevent the continuation of such.
Releasing details of this exploit is NOT against the law, hence the impossibility of getting a restraining order to stop it.

Sure, you don't have to prove that you WILL be harmed, only that you COULD be harmed, but you ALSO have to prove that the harm would come from an illegal activity. Otherwise stores would get restraining orders preventing their competition from opening new locations or having sales because it could harm their business. They don't because those activities, although harmful to their business, are not illegal, and hence can not be grounds for a restraining order.

 

[MP3Mike]

don't worry, Tesla already fixed this vulnerability a very long time ago. They made a web browser with such a poor experience that there was no risk anyone would actually use it!

That may be but Keen says you don't even have to use the web browser, that they can perform their hack with you just connecting to a compromised WiFi AP. (Elon disagrees.)

Edit: Green1 pointed out that I had mis-remembered that part. Using the browser is necessary.

 

[green1]

That may be but Keen says you don't even have to use the web browser, that they can perform their hack with you just connecting to a compromised WiFi AP. (Elon disagrees.)

Wrong.
Elon said you had to BOTH connect to a compromised WiFi AP, AND use the browser,
Keen disagreed and said you don't have to connect to a compromised WiFi AP, only use the browser.

Both Keen and Elon agree that you must use the browser, they disagree on whether you need to connect to a compromised WiFi AP. (it seems likely that the browser is the vulnerable bit, but by using a compromised AP you can drastically increase the chances of getting code to the browser because you don't have to compromise the site the user wants to go to, you can compromise all sites at the router level by MITM)

 

[msnow]

OT,

You're missing the legality point AGAIN. Patent infringement is against the law, hence the ability to get a restraining order to prevent the continuation of such.
Releasing details of this exploit is NOT against the law, hence the impossibility of getting a restraining order to stop it.

Sure, you don't have to prove that you WILL be harmed, only that you COULD be harmed, but you ALSO have to prove that the harm would come from an illegal activity. Otherwise stores would get restraining orders preventing their competition from opening new locations or having sales because it could harm their business. They don't because those activities, although harmful to their business, are not illegal, and hence can not be grounds for a restraining order.

Someone hacking into your car IS illegal. Threatening to show others how to do it would be damaging to Tesla. Put that together and you can get a judge to issue a temporary order. I got that from a friend of mine who specializes in this area. It's not that complicated.

 

[green1]

If you own the car, accessing it's internal functions is perfectly legal. Especially being that Tesla's did not have us agree to any licensing. Additionally Tesla has explicitly given permission to do this sort of thing. Nobody has hacked anyone else's car without their permission, nor has anyone threatened to do so.

Nothing illegal has transpired. If it had, do you really think keen would have broadcast it all over the place?

As for disclosing it, that would be legal even if the original act had not been.

 

[msnow]

If you own the car, accessing it's internal functions is perfectly legal. Especially being that Tesla's did not have us agree to any licensing. Additionally Tesla has explicitly given permission to do this sort of thing. Nobody has hacked anyone else's car without their permission, nor has anyone threatened to do so.

Nothing illegal has transpired. If it had, do you really think keen would have broadcast it all over the place?

As for disclosing it, that would be legal even if the original act had not been.

I thought this was a topic you didn't want to talk about anymore but there you go again opening the door.
1. I think the ownership of the software is not a settled issue.
2. "Tesla has explicitly given permission to do this sort of thing" /citation needed/
3. Keen hasn't broadcast the exploit publicly yet so maybe they do think it was illegal (using your logic).

 

[Gregkeys]

I thought this was a topic you didn't want to talk about anymore but there you go again opening the door.
1. I think the ownership of the software is not a settled issue.
2. "Tesla has explicitly given permission to do this sort of thing" /citation needed/
3. Keen hasn't broadcast the exploit publicly yet so maybe they do think it was illegal (using your logic).

Re: point #2 - Privacy & Legal | Tesla

 

[msnow]

Re: point #2 - Privacy & Legal | Tesla

Thanks Greg! I bolded two sections that *might* be in question. 1) Keen wants to publicly disclose the exploit rather than providing the details and POC to Tesla.
2) modifying and accessing data that does not belong to Keen. If Tesla considers their code as their intellectual property this might also be an issue. Anyway time will tell. Thanks for the research. Interesting that no one made the bounty program since 2014.

Responsible Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. To encourage responsible reporting, we commit that we will not take legal action against you or ask law enforcement to investigate you if you comply with the following Responsible Disclosure Guidelines:

• Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
• Make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our services
• Do not modify or access data that does not belong to you
• Give us a reasonable time to correct the issue before making any information public

We will attempt to respond to your report within 1-2 business days.