RogerHScott
Active Member
I can't say how I know this, but Tesla's software has been scrutinized for security and other problems by more than one outside entity.
You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
Tesla was not hacked - Model S was.
Running Tesla equipment and Tesla software.Tesla was not hacked - Model S was.
I'm in the business and know they have had security assessments in the past too. But this is a continuing process. It's not a once and done thing. When there's an incident you bring in the best to review it and see what the last team missed. SOP.I can't say how I know this, but Tesla's software has been scrutinized for security and other problems by more than one outside entity.
Yeah no $hit and Dell, Lenovo, etc. may not get hacked but their products sure get hacked. You completely missed my point, it was around nothing is 100% secure.
Running Tesla equipment and Tesla software.
Tesla was not hacked - Model S was.
Tesla is way ahead of the game in this area. Remote control of other cars has been demonstrated a number of times, and at least Tesla can fix it. Anyway, I bet the same bug appears in most other cars' web browsers... oh, wait...I am dismayed to find out that Tesla is not effectively hardening their systems against external attack. What I saw in this video I consider evidence of gross negligence and ineptitude on the part of Tesla. Such disregard for the safety of their customers is inexcusable. I say this not only as a customer but a stockholder.
One traffic fatality in Florida turned into a media nightmare for Tesla, even though owners mostly understand the limits of technology. Imagine what would happen if a Tesla got hacked on the highway and suddenly stopped on a major highway, causing a 100-car pile up.
That could prove fatal for both customers and the company.
Absolutely, and I didn't mean to in any way imply that it was. In a sense, every time you change a line of code (or a wiringthis is a continuing process. It's not a once and done thing.
PS. I consider this event largely immaterial, and am happy that the company is focused on a secure design of their in-vehicle software, as evidenced by last year's DefCon presentation on the Model S.
No, there is a difference just like any client server design. But if the client (in this case the car) has an inherent exploitable vulnerability, that is Tesla's responsibility to fix whether it's the car or their own infrastructure. They know this which is why the paid a bounty to the researcher and issued an immediate patch. Why, who do you think is responsible for fixing it? The car owner? (LOL).Just to be clear, do you claim there's no difference between Model S being hacked versus Tesla company? LOL.
No, there is a difference just like any client server design. But if the client (in this case the car) has an inherent exploitable vulnerability, that is Tesla's responsibility to fix whether it's the car or their own infrastructure. They know this which is why the paid a bounty to the researcher and issued an immediate patch. Why, who do you think is responsible for fixing it? The car owner? (LOL).
It's not clear that they got code past the gateway. Since the center console has a button to engage the parking brake, there's clearly an API through the gateway for the center display to request the parking brake being applied. The running of code from the browser is what allowed that all to occur. So the exploit looked something like:Got it. So in addition to the gateway they got code to his browser.
We may be saying the same thing but here's my assessment; if they got to the console to engage the brakes that *is* getting past the gateway, you say "getting through the gateway" I say getting "past" same thing. That's point one. Point two is they showed the compromised screen both on the 17" and I think the IC as well right? In any case they hijacked the browser injecting code. The brake thing I'm not sure about. They could have engaged the emergency brake through the console causing him to brake suddenly. The seats were interesting too. Someone upthread mentioned it was the passenger seat which would be odd indeed as that's not connected to the driver profile which they could have controlled. Anyway, it's patched and over now.It's not clear that they got code past the gateway. Since the center console has a button to engage the parking brake, there's clearly an API through the gateway for the center display to request the parking brake being applied. The running of code from the browser is what allowed that all to occur. So the exploit looked something like:
1) Connect car to hacker-owned AP
2) Hijack browser search request, injecting code results in exploited center display
3) Connect to car, and utilize existing APIs for controlling car functions by instructing center display to request parking brake be applied
This is clearly a big deal, but not as bad as it could have been. It appears the security gateway remained functional, preventing access to the rest of the systems. Therefore, the only vulnerable functions are those exposed on the display.
However, this still raises some concerns. As long as there's a path through the gateway for engaging the brakes, this kind of attack will always be a possibility. It's also not the worst thing that could have happened: you can also engage the Emergency Shutoff from the center display. Why wasn't that demonstrated? Certainly it's more alarming. Perhaps there are additional safety checks on the other side of the gateway for that?
It doesn't have to be a "random WiFi hotspot". The attacker can setup a hotspot with the same SSID and PSK as one that your car already remembers, e.g. "Tesla Service", and your car will happily connect to it.Is it common for people to connect to random WiFi hotspots from their car?