RogerHScott
Active Member
I can't say how I know this, but Tesla's software has been scrutinized for security and other problems by more than one outside entity.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
theslimshadyist
Active Member
Yeah no $hit and Dell, Lenovo, etc. may not get hacked but their products sure get hacked. You completely missed my point, it was around nothing is 100% secure.
I'm in the business and know they have had security assessments in the past too. But this is a continuing process. It's not a once and done thing. When there's an incident you bring in the best to review it and see what the last team missed. SOP.
Just to be clear, do you claim there's no difference between Model S being hacked versus Tesla company? LOL.
The company did actually have their web-site defaced:
Tesla Motors - Wikipedia, the free encyclopedia
PS. I consider this event largely immaterial, and am happy that the company is focused on a secure design of their in-vehicle software, as evidenced by last year's DefCon presentation on the Model S.
Last edited:
Tesla is way ahead of the game in this area. Remote control of other cars has been demonstrated a number of times, and at least Tesla can fix it. Anyway, I bet the same bug appears in most other cars' web browsers... oh, wait...
RogerHScott
Active Member
Absolutely, and I didn't mean to in any way imply that it was. In a sense, every time you change a line of code (or a wiring
connection) you start all over. "We've got Sisyphus on line 2..."
No, there is a difference just like any client server design. But if the client (in this case the car) has an inherent exploitable vulnerability, that is Tesla's responsibility to fix whether it's the car or their own infrastructure. They know this which is why the paid a bounty to the researcher and issued an immediate patch. Why, who do you think is responsible for fixing it? The car owner? (LOL).
GasKilla
No Gas Know Peace
I agree, but that's not what I was pointing out. Car exploit has a potential to cause direct physical harm or property damage. Hacking company systems will usually not result in injury or property damage (except in cases when company network/system is compromised in order to hack the car).
PS: Vulnerability management is also different because in a car you have limited storage, bandwidth, cpu cycles and non upgrade-able hardware..
Last edited:
Gizmotoy
Active Member
It's not clear that they got code past the gateway. Since the center console has a button to engage the parking brake, there's clearly an API through the gateway for the center display to request the parking brake being applied. The running of code from the browser is what allowed that all to occur. So the exploit looked something like:
1) Connect car to hacker-owned AP
2) Hijack browser search request, injecting code results in exploited center display
3) Connect to car, and utilize existing APIs for controlling car functions by instructing center display to request parking brake be applied
This is clearly a big deal, but not as bad as it could have been. It appears the security gateway remained functional, preventing access to the rest of the systems. Therefore, the only vulnerable functions are those exposed on the display.
However, this still raises some concerns. As long as there's a path through the gateway for engaging the brakes, this kind of attack will always be a possibility. It's also not the worst thing that could have happened: you can also engage the Emergency Shutoff from the center display. Why wasn't that demonstrated? Certainly it's more alarming. Perhaps there are additional safety checks on the other side of the gateway for that?
We may be saying the same thing but here's my assessment; if they got to the console to engage the brakes that *is* getting past the gateway, you say "getting through the gateway" I say getting "past" same thing. That's point one. Point two is they showed the compromised screen both on the 17" and I think the IC as well right? In any case they hijacked the browser injecting code. The brake thing I'm not sure about. They could have engaged the emergency brake through the console causing him to brake suddenly. The seats were interesting too. Someone upthread mentioned it was the passenger seat which would be odd indeed as that's not connected to the driver profile which they could have controlled. Anyway, it's patched and over now.
SoccerMan94043
Member
I think Tesla's response was outstanding and I love that they have a bug bounty program and good relationships with security researchers. It's a matter of time before another hack is discovered and these processes are important.
I also read from @Ingineer (I think) that Tesla is now signing each build with the last release. Also another good step toward our security. Tesla is about 1 billion times ahead of any other car makers in this area.
I also read from @Ingineer (I think) that Tesla is now signing each build with the last release. Also another good step toward our security. Tesla is about 1 billion times ahead of any other car makers in this area.
It doesn't have to be a "random WiFi hotspot". The attacker can setup a hotspot with the same SSID and PSK as one that your car already remembers, e.g. "Tesla Service", and your car will happily connect to it.
Tesla hasn't offered this update to my my 85D yet.
A quick call to the Watertown Service Center this morning yielded the fact that only 25% of the fleet has the update at this point and I should see something in the next week. Even though the hack requires a rather unique combination unlikely to be encountered in the field, I'd have prefer Tesla to making pushing this update to everything in the fleet a top priority. I'd even go so far as accepting a delay in 8.0 if the fix wasn't in 8.0 to get everyone covered. What good is an Autopilot vehicle if someone can interfere with basic vehicle functions remotely?
A quick call to the Watertown Service Center this morning yielded the fact that only 25% of the fleet has the update at this point and I should see something in the next week. Even though the hack requires a rather unique combination unlikely to be encountered in the field, I'd have prefer Tesla to making pushing this update to everything in the fleet a top priority. I'd even go so far as accepting a delay in 8.0 if the fix wasn't in 8.0 to get everyone covered. What good is an Autopilot vehicle if someone can interfere with basic vehicle functions remotely?
EVie'sDad
Member
Tesla fixes 'low risk' remote hijack vulnerability
http://flip.it/zS4eX9
"A Tesla spokesperson said the company has already deployed a software update, and the team would be rewarded under its bug bounty program."
http://flip.it/zS4eX9
"A Tesla spokesperson said the company has already deployed a software update, and the team would be rewarded under its bug bounty program."
