Car Hacking Research: Remote Attack Tesla Motors by Keen Security Lab

[lklundin]

I think Tesla will survive a software exploit that requires a specific set of unlikely circumstances (rouge website and hacked wi-fi network) that hasn't been exploited in the real world (as far as we know), and nobody was injured or killed, and Tesla issued a firmware update within a day to address the problem (which didn't require the physical recall of millions of vehicles)

Let's imagine a yet to be found vulnerability that would compromise the WIFI-component of (some) Tesla cars to the point that each affected vehicle would be unable to accept a firmware update over the air.

Would it be technically possible for Tesla to push out a firmware update via the cabled connection in the Supercharger stall?
That would still be a lot better than having to issue an actual recall.

 

[RichardL]

Did I miss why, if the latest update is to patch this, why haven't all cars received this yet? I haven't on my classic, even though I was within a Geofence for some time on Sunday (buying an X!) Since I never connect to any other wifi network other than my own, I am not worried, but it hasn't been 100% yet

 

[apacheguy]

There is no existing mechanism to push updates over a supercharger. Supercharger communicates on CAN which is behind the gateway so this would be extremely difficult.

 

[msnow]

There is no existing mechanism to push updates over a supercharger. Supercharger communicates on CAN which is behind the gateway so this would be extremely difficult.

No, that's not what I meant. The *location* that they sent him to perhaps has a wifi access point that they "owned". Why else did they send him there before they took over his car? It might have been the only one around and knew the car had cached the credentials. Make sense?

 

[Vitold]

Let's imagine a yet to be found vulnerability that would compromise the WIFI-component of (some) Tesla cars to the point that each affected vehicle would be unable to accept a firmware update over the air.

Would it be technically possible for Tesla to push out a firmware update via the cabled connection in the Supercharger stall?
That would still be a lot better than having to issue an actual recall.

Presumably a hard reset would restore the car to pre-exploit state so you can connect to the wifi and grab the patch.

 

[apacheguy]

No, that's not what I meant. The *location* that they sent him to perhaps has a wifi access point that they "owned". Why else did they send him there before they took over his car? It might have been the only one around and knew the car had cached the credentials. Make sense?

I was not responding to you. I was responding to @lklundin

 

[MP3Mike]

No, that's not what I meant. The *location* that they sent him to perhaps has a wifi access point that they "owned". Why else did they send him there before they took over his car? It might have been the only one around and knew the car had cached the credentials. Make sense?

They didn't send him anywhere, they just asked him to search for a charging location. (Which made him use the web browser.) I assume that they already had the car hooked to their malicious WiFi hotspot. (They just left that detail out of the video.)

 

[apacheguy]

I assume that they already had the car hooked to their malicious WiFi hotspot. (They just left that detail out of the video.)

Right and therein lied the source of my confusion.

 

[HankLloydRight]

Why does the color matter? Or did you mean "rogue"?

I do that all the time. I blame my dyslexia.

Thanks.

 

[HankLloydRight]

Let's imagine a yet to be found vulnerability that would compromise the WIFI-component of (some) Tesla cars to the point that each affected vehicle would be unable to accept a firmware update over the air.

I think in an actual worse-case scenario where OTA updates are blocked, the car can be taken (or towed) to a service center for a hard-wired reset. Or even a Tesla Ranger sent out to the immobile car to do it.

In a worst-worst-case scenario, the MCU can be replaced if the computer is bricked.

 

[msnow]

They didn't send him anywhere, they just asked him to search for a charging location. (Which made him use the web browser.) I assume that they already had the car hooked to their malicious WiFi hotspot. (They just left that detail out of the video.)

Got it. So in addition to the gateway they got code to his browser.

 

[AB4EJ]

The consensus seems to be that this was a man-in-the-middle attack using a hacked wifi spot. (This approach is often used by governments to monitor cellphone conversations, as you can create a cell tower impersonator system.) When I first saw it though, I thought, "how do we know that they haven't connected additional hardware to the vehicle that you don't see?" Are we sure that nothing was connected to any of the car's systems? (Sorry if this is an ignorant question)

 

[somnambule]

Right and therein lied the source of my confusion.

I was confused about that as well. Does Tesla not use cellular connections in some parts of the world for map search, browser etc. (I presume this demo was in China, as it was done by a subsidiary of Tencent)? Is it common for people to connect to random WiFi hotspots from their car?

 

[Vitold]

The consensus seems to be that this was a man-in-the-middle attack using a hacked wifi spot. (This approach is often used by governments to monitor cellphone conversations, as you can create a cell tower impersonator system.) When I first saw it though, I thought, "how do we know that they haven't connected additional hardware to the vehicle that you don't see?" Are we sure that nothing was connected to any of the car's systems? (Sorry if this is an ignorant question)

They will provide details in a few days.

(btw, cell phones work differently than WIFI)

 

[lklundin]

The consensus seems to be that this was a man-in-the-middle attack using a hacked wifi spot. (This approach is often used by governments to monitor cellphone conversations, as you can create a cell tower impersonator system.)

If was going to 'Dislike' your comparison between hackers and governments, since fake cell-towers and malicious WIFI-networks are entirely different types of man-in-the-middle attacks.

But it is in fact very insightful to compare warrantless snooping on cell-phone conversations with non-state sanctioned hacking.

 

[Lump]

After last years physical hack, access to critical functions were reported to be cut off?
Researchers Hacked a Model S, But Tesla's Already On It

“Tesla has taken a number of different measures to address the effects of all six vulnerabilities reported by [the researchers],” a Tesla spokeswoman told WIRED in an email. “In particular, the path that the team used to achieve root (superuser) privileges on the infotainment system has been closed off at several different points.” She also noted that the effects of some other vulnerabilities have been mitigated. “In particular, the browser has been further isolated from the rest of the infotainment system using several different layered methods.”

Though the Tesla hacks highlight some of the dangers around digitally connected cars, the researchers’ findings are not as serious as those demonstrated two weeks ago against a Chrysler Jeep. In that case, the vehicle had no separation between its infotainment system and the critical drive system, so once researchers compromised the infotainment system they could communicate with the drive system and cut the brakes or control the steering if the car was in reverse. Tesla, however, has a gateway between the infotainment and drive systems that is intended to prevent a hacker, remote or otherwise, from reaching critical functions like these.

 

[MP3Mike]

I was confused about that as well. Does Tesla not use cellular connections in some parts of the world for map search, browser etc. (I presume this demo was in China, as it was done by a subsidiary of Tencent)? Is it common for people to connect to random WiFi hotspots from their car?

This was about what is possible not what is probably. Which is why Tesla said "Our realistic estimate is that the risk to our customers was very low..." Because people aren't going to take the time to connect to some random WiFi unless there was no cellular signal available in the area.

 

[msnow]

This was about what is possible not what is probably. Which is why Tesla said "Our realistic estimate is that the risk to our customers was very low..." Because people aren't going to take the time to connect to some random WiFi unless there was no cellular signal available in the area.

I'd take Tesla's response from their PR group with a grain of salt. As someone who is very familiar with things like this, that is a typical boilerplate response. What's going on now or should be going on internally is hiring an independent Information Security company to do a full review and risk analysis of Tesla's systems. They will need this to show regulators, insurers, and possibly shareholders if asked. This is a good thing for us and Tesla to ensure protection even if this incident was insignificant which it likely was.

 

[theslimshadyist]

I am dismayed to find out that Tesla is not effectively hardening their systems against external attack. What I saw in this video I consider evidence of gross negligence and ineptitude on the part of Tesla. Such disregard for the safety of their customers is inexcusable. I say this not only as a customer but a stockholder.

One traffic fatality in Florida turned into a media nightmare for Tesla, even though owners mostly understand the limits of technology. Imagine what would happen if a Tesla got hacked on the highway and suddenly stopped on a major highway, causing a 100-car pile up.

That could prove fatal for both customers and the company.

There are only 2 types of companies in this world. Those that have been hacked and those that will.

 

[Vitold]

There are only 2 types of companies in this world. Those that have been hacked and those that will.

Tesla was not hacked - Model S was.