Thanks for sharing this. This is good news as it suggests that Tesla will be reasonable in allowing the researchers to disclose the vulnerabilities once a "reasonable time" has past. Who's with me in ensuring that Tesla stays true to their word?
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Thanks for sharing this. This is good news as it suggests that Tesla will be reasonable in allowing the researchers to disclose the vulnerabilities once a "reasonable time" has past. Who's with me in ensuring that Tesla stays true to their word?
I am as long as they also do the first bullet:
- Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC)
Which from what we have seen they already have done. (Which is why Tesla said they had an update out 10 days after they were contacted with details.)
Wait, then you have more recent news than I do. The last I heard, Tesla was disputing what Keen was saying wrt the exploit. It was a pretty big difference too. Please share.
Sorry I don't follow. It's been confirmed by Tesla that the exploits were patched. Why do you think they have not disclosed everything to Tesla?
"Following the global industry practice on 'responsible disclosure' of product security vulnerabilities, we have reported the technical details of all the vulnerabilities discovered in the research to Tesla. The vulnerabilities have been confirmed by Tesla Product Security Team," it said.
https://www.google.com/amp/phys.org/news/2016-09-tesla-chinese-hack.amp?client=safari
"Following the global industry practice on 'responsible disclosure' of product security vulnerabilities, we have reported the technical details of all the vulnerabilities discovered in the research to Tesla. The vulnerabilities have been confirmed by Tesla Product Security Team," it said.
https://www.google.com/amp/phys.org/news/2016-09-tesla-chinese-hack.amp?client=safari
I am wondering (after the last embarrassment with the ancient WebKit) why they left the browser running as a UID that could do anything else on the system. Or, if they fixed that particular mistake, whether that means (as it would seem it would have to) the Keen guys _also_ had a privilege escalation exploit against the Linux kernel in use, which would imply that's old too -- which I suppose it well might be.
In either case, unless a substantial update or restructuring has been done on the components involved, it's reasonable to expect they have more vulnerabilities to be found.
In either case, unless a substantial update or restructuring has been done on the components involved, it's reasonable to expect they have more vulnerabilities to be found.
Well the sentence after what you pasted says:
"Tesla downplayed the risk, saying the intrusion could only be carried out when the car's web browser is in use.
It "also required the car to be physically near to and connected to a malicious Wi-Fi hotspot," the company said."
Keen disputes that last part in this tweet below from last week. That led me to wonder why are they not in sync on this if they provided all the details and the POC. There's no response from Elon saying something like "yeah we retested and you're right". Maybe it's a small thing but I find it incomplete. See what I mean?
HankLloydRight
No Roads
Okay, I believe you which means either Tesla or Keen is not telling the truth. In my world, the security community will lose confidence in Tesla if they are minimizing the risk.
it wouldn't suprise me if it was ignorance on EM/teslas part.
it's relatively easy to force anything with wifi to connect to a malicious HotSpot without logging on.
id bet a dollar that's what keen was referring to, EM is probably under the impression that you have to intentionally connect to a malicious HotSpot, when in reality an attacker can force you to connect to their HotSpot in order to perform the attack.
i don't have my tesla yet but i assume the wifi in it works the same as 97% of wifi devices on the market, which are vulnerable to deauth/yesman attacks.
in most situations the only requirements to perform the attacks are #1 at least one saved AP in your wifi connection list #2 wifi enabled.
Last edited:
Perhaps Elon but his security team and CrowdStrike? Another possibility could be that it's not trivial and therefore discounted. If Keen goes public like they seem to want we will have the answer.
This is an old thread, but I wanted to call folks attention to an article on ZDNet, not about cars, but about web site security, because I think the same points apply.
The author, Steve Ranger, argues that consumers should not take security breaches as something inevitable, but rather make buying decisions based on a company's security performance. One thing Ranger wrote has special application to the Tesla security vulnerability. He said:
Tesla had considered code signing as something they wanted to do, but hadn't gotten around to it. The got around to it AFTER they got pwned by the Chinese team. Code signing is a fundamental best practice in secure software deployment.
The author, Steve Ranger, argues that consumers should not take security breaches as something inevitable, but rather make buying decisions based on a company's security performance. One thing Ranger wrote has special application to the Tesla security vulnerability. He said:
Tesla had considered code signing as something they wanted to do, but hadn't gotten around to it. The got around to it AFTER they got pwned by the Chinese team. Code signing is a fundamental best practice in secure software deployment.
green1
Active Member
Keen promissed disclosure. How long do we wait before we can officially say they lied about being willing to disclose the vulnerability?
Tesla has the absolute best security in the business, they missed something, but so does everyone else. They did fix it quickly once notified, and that's the true test, not if something gets hacked, because that's 100% guaranteed, the real test is how they respond to it. As for code signing, it had ZERO to do with the hackers getting in, and implementing it does ZERO to protect users.
Code signing is a way for companies to wage all out war on their paying customers. It is NOT a way of protecting the product from remote exploits.
If you wait for a company to do that, you won't buy ANY electronic product. You can give up now on ever driving a car newer than 2000.
Tesla has the absolute best security in the business, they missed something, but so does everyone else. They did fix it quickly once notified, and that's the true test, not if something gets hacked, because that's 100% guaranteed, the real test is how they respond to it. As for code signing, it had ZERO to do with the hackers getting in, and implementing it does ZERO to protect users.
Code signing is a way for companies to wage all out war on their paying customers. It is NOT a way of protecting the product from remote exploits.
Actually, Tesla has always utilized various security methods with the firmware on the car, including cryptographic signing, as far back as I have data. The update process also incorporates per-car encrypted patches, data transfers over an encrypted VPN, and quite a few other security features.
Tesla, starting with v7.1 (2.36.31) (off the top of my head...), added supplemental checks during the update process that further verified what was being updated before and during the update process, even after the initial encryption and signature checks had been successful. Things are now verified even more than they were before by even more hardware on the car with even more granular items including their own signatures (which are inside the existing signed data, so multiple layers now).
So, it's not that they "hadn't gotten around to it" or only implemented signature checking after a hack. This setup was already quite secure and what they got around to was improving that security.
Why do you think that Tesla has "the absolute best security in the business"? I'll wait patiently for your reply. Do you even know what code signing is? It doesn't sound like it.
The thrust of the article is that security will not improve when everyone has an attitude like yours that "everybody gets hacked." Companies must be held accountable or else there is no incentive for them to do better.
It's another layer of protection after gaining access remotely. It would mitigate against overwriting Tesla's code with the atrackers.
